[Snort-users] anything to worry about?

Max Vision vision at ...4...
Fri Oct 6 18:37:18 EDT 2000


This rule you are using isn't from arachNIDS.  When you did your search
you probably found IDS176/socks4-active, which has the following
signature:

alert TCP $INTERNAL 1080 -> $EXTERNAL any
(msg: "IDS176/socks4-active"; flags: AP; content: "|04 5A|"; depth: 2;)

The false-positives field of the database reads:
   Rare cases of normal return traffic might trigger the rule, however the
   restrictive content rule and depth:2 flag minimize the risk of
   triggering a false positive.

The depth:2 relieves false-positives like that one you see below.  So if
you aren't using vision.conf you might want to add the depth restriction
to your current rule :)

Max

On Fri, 6 Oct 2000, Robert E. Leever wrote:
> Whitehat's Archinid shows 3 hits for WinGate, and one has a 
> content of 04 5A, whereas this has several sets of 04 CF 
> These are both internal ip addresses behind our fire wall.
> 
> Does anyone know what these are?[this is one of dozens and dozens
> on this xx.xx.50.0/24 subnet.]
> 
> 
> # cat *1080*
> [**] WinGate 1080 Attempt [**]
> 10/06-09:42:41.874129 198.183.201.3:53 -> 172.16.50.198:1080
> UDP TTL:253 TOS:0x0 ID:3948  DF
> Len: 104
> 00 01 85 80 00 01 00 04 00 00 00 00 06 73 65 61  .............sea
> 72 63 68 03 6D 73 6E 03 63 6F 6D 00 00 01 00 01  rch.msn.com.....
> C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E B9 63  ...............c
> C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E D1 C8  ................
> C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E B0 7F  ................
> C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E B3 11  ................
> 
> 
> thanks 
> 
> b;)
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list