[Snort-users] Possible false positive?
harrym at ...10739...
Thu Dec 11 05:58:09 EST 2003
I've just set up snort on my Win2k3 system for the first time, so this might
be misconfiguration :)
I'm getting alerts for rule 1112
(http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory
traversal). The destination ports do not match the contents of my HTTP_PORTS
variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID:
ID < Signature > < Timestamp > < Source
Address > < Dest. Address > < Layer 4 Proto >
#0-(1-52) [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:44:36 <removed>:59971 <removed>:4662 TCP
#1-(1-51) [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:44:33 <removed>:3974 <removed>:4662 TCP
#2-(1-50) [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:42:57 <removed>:3974 <removed>:4662 TCP
#3-(1-49) [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:42:53 <removed>:4662 <removed>:3940 TCP
The data being logged is actually eMule traffic. I can't see anything in the
payload that makes snort's reason for logging this traffic obvious. Does
anyone know why this rule is being matched? Could it be misconfiguration or
is it a false-positive? How might I go about stopping eMule from triggering
this rule without deleting it? (It seems like a good rule to keep). This
rule's entry in the signature database states that no false positives are
known, which leads me to think that it's probably misconfiguration, but I
don't see where.
Thanks in advance!
More information about the Snort-users