[Snort-users] Possible false positive?
harrym at ...10739...
Mon Dec 15 07:44:17 EST 2003
I figured it out in the end - it was misconfiguration. I didn't realise that
'var HTTP_PORTS 80:4711' was specifying a range and not a list. Since eMule
uses 4662 to transfer data, the port matched the rule. The content did
indeed contain '..\'. I changed HTTP_PORTS to 80 and it's ok now. I shall
wait to put 4711 back when snort supports proper lists for ports :)
From: Josh Berry [mailto:josh.berry at ...10221...]
Sent: 11 December 2003 22:46
To: Harry M
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Possible false positive?
Probably because the eMule program (isn't that a P2P app?) is using port
80 and HTTP commands to operate (as a lot of P2P apps do) and somewhere in
the content has "..\\"
> I've just set up snort on my Win2k3 system for the first time, so this
> be misconfiguration :)
> I'm getting alerts for rule 1112
> (http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory
> traversal). The destination ports do not match the contents of my
> variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID:
> ID < Signature > < Timestamp > < Source
> Address > < Dest. Address > < Layer 4 Proto >
> #0-(1-52) [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:44:36 <removed>:59971 <removed>:4662 TCP
> #1-(1-51) [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:44:33 <removed>:3974 <removed>:4662 TCP
> #2-(1-50) [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:42:57 <removed>:3974 <removed>:4662 TCP
> #3-(1-49) [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:42:53 <removed>:4662 <removed>:3940 TCP
> The data being logged is actually eMule traffic. I can't see anything in
> payload that makes snort's reason for logging this traffic obvious. Does
> anyone know why this rule is being matched? Could it be misconfiguration
> is it a false-positive? How might I go about stopping eMule from
> this rule without deleting it? (It seems like a good rule to keep). This
> rule's entry in the signature database states that no false positives are
> known, which leads me to think that it's probably misconfiguration, but I
> don't see where.
> Thanks in advance!
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
> Free Linux Tutorials. Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Josh Berry, CTO
josh.berry at ...10268...
More information about the Snort-users