[Snort-users] Possible false positive?

Harry M harrym at ...10739...
Thu Dec 11 05:58:09 EST 2003


I've just set up snort on my Win2k3 system for the first time, so this might
be misconfiguration :)

I'm getting alerts for rule 1112
(http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory
traversal). The destination ports do not match the contents of my HTTP_PORTS
variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID:

   ID         	  < Signature >  								  < Timestamp >   	     < Source
Address >    < Dest. Address >     < Layer 4 Proto >
   #0-(1-52)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:44:36        <removed>:59971       <removed>:4662        TCP
   #1-(1-51)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:44:33        <removed>:3974        <removed>:4662        TCP
   #2-(1-50)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:42:57        <removed>:3974        <removed>:4662        TCP
   #3-(1-49)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:42:53        <removed>:4662        <removed>:3940        TCP

The data being logged is actually eMule traffic. I can't see anything in the
payload that makes snort's reason for logging this traffic obvious. Does
anyone know why this rule is being matched? Could it be misconfiguration or
is it a false-positive? How might I go about stopping eMule from triggering
this rule without deleting it? (It seems like a good rule to keep). This
rule's entry in the signature database states that no false positives are
known, which leads me to think that it's probably misconfiguration, but I
don't see where.

Thanks in advance!

Arta





More information about the Snort-users mailing list