[Snort-users] Re: [Snort-sigs] Reporting false positive for Snort rule

Josh Berry josh.berry at ...10221...
Tue Feb 24 08:20:11 EST 2004


I was seeing thousands of these also, same situation of Netware to Netware
traffic with the same data.

> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
>
> Rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP
> SYN packet"; flags:S,12; dsize:>6;
> reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;
> classtype:misc-activity; rev:6;)
>
> --
> Sid:
> 526
> --
> Summary:
> Reporting a potential false positive
> --
> Impact:
>
> --
> Detailed Information:
>
> --
> Affected Systems:
>
> --
> Attack Scenarios:
>
> --
> Ease of Attack:
>
> --
> False Positives:
> I am seeing a significant # of hits on this rule, always from a NetWare
> server running "DS Expert", sending to another NetWare server (being
> monitored by DSExpert).  This may be due to DSExpert being an older copy,
> but thought you'd want to know.  Here's the TCP data.  Destination port is
> always 524, with SYN set.
> 000 : 74 4E 63 50 00 00 00 0F 11 11 00 FF 00 FF 00      tNcP...........
>
> --
> False Negatives:
>
> --
> Corrective Action:
>
> --
> Contributors:
>
> --
> Additional References


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list