[Snort-users] Possible false positive?

Josh Berry josh.berry at ...10221...
Thu Dec 11 15:39:26 EST 2003


Probably because the eMule program (isn't that a P2P app?) is using port
80 and HTTP commands to operate (as a lot of P2P apps do) and somewhere in
the content has "..\\"

> I've just set up snort on my Win2k3 system for the first time, so this
> might
> be misconfiguration :)
>
> I'm getting alerts for rule 1112
> (http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory
> traversal). The destination ports do not match the contents of my
> HTTP_PORTS
> variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID:
>
>    ID         	  < Signature >  								  < Timestamp >   	     < Source
> Address >    < Dest. Address >     < Layer 4 Proto >
>    #0-(1-52)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:44:36        <removed>:59971       <removed>:4662        TCP
>    #1-(1-51)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:44:33        <removed>:3974        <removed>:4662        TCP
>    #2-(1-50)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:42:57        <removed>:3974        <removed>:4662        TCP
>    #3-(1-49)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:42:53        <removed>:4662        <removed>:3940        TCP
>
> The data being logged is actually eMule traffic. I can't see anything in
> the
> payload that makes snort's reason for logging this traffic obvious. Does
> anyone know why this rule is being matched? Could it be misconfiguration
> or
> is it a false-positive? How might I go about stopping eMule from
> triggering
> this rule without deleting it? (It seems like a good rule to keep). This
> rule's entry in the signature database states that no false positives are
> known, which leads me to think that it's probably misconfiguration, but I
> don't see where.
>
> Thanks in advance!
>
> Arta
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list