[Snort-users] FPs on XML PHP signatures.

Joel Esler joel.esler at ...1935...
Wed Dec 7 11:45:04 EST 2005


Are you using Barnyard??

Joel



On Dec 7, 2005, at 12:25 PM, qwerty qwertytrewq wrote:

> Hi list.
>
> The XML PHP signatures from both VRT and Bleeding Snort (sid 3827  
> rev 1 and sid 2002158 rev 4) have been triggering fine for a couple  
> of months on my sensor.
> But recently they have produced some FPs on what lookes like  
> perfectly legal traffic.
>
> Here is a dump of traffic that both sigs triggered on:
>
> 0000  00 00 0c 07 ac 01 00 04  23 09 11 7c 08 00 45 00   ........  
> #..|..E.
> 0010  01 88 78 a6 40 00 7d 06  52 df 8b 6c f4 85 d8 28   ..x. at ...843...}.  
> R..l...(
> 0020  d8 cf 85 f7 00 50 3c b0  a9 2a 5b 55 f2 37 50 18   .....P<. .* 
> [U.7P.
> 0030  43 54 55 fd 00 00 47 45  54 20 2f 70 6c 61 79 65   CTU...GE  
> T /playe
> 0040  72 73 2f 61 77 61 72 64  73 2f 53 69 6c 76 65 72   rs/award s/ 
> Silver
> 0050  4d 65 64 61 6c 2e 67 69  66 20 48 54 54 50 2f 31   Medal.gi f  
> HTTP/1
> 0060  2e 30 0d 0a 56 69 61 3a  20 31 2e 30 20 53 50 52   .0..Via:   
> 1.0 SPR
> 0070  58 30 32 2c 20 31 2e 30  20 53 50 52 58 30 31 0d   X02, 1.0   
> SPRX01.
> 0080  0a 49 66 2d 4e 6f 6e 65  2d 4d 61 74 63 68 3a 20   .If-None - 
> Match:
> 0090  22 36 33 64 37 32 2d 33  63 37 2d 33 65 32 37 35   "63d72-3  
> c7-3e275
> 00a0  33 34 33 22 0d 0a 55 73  65 72 2d 41 67 65 6e 74   343"..Us  
> er-Agent
> 00b0  3a 20 4d 6f 7a 69 6c 6c  61 2f 34 2e 30 20 28 63   : Mozill a/ 
> 4.0 (c
> 00c0  6f 6d 70 61 74 69 62 6c  65 3b 20 4d 53 49 45 20   ompatibl  
> e; MSIE
> 00d0  36 2e 30 3b 20 57 69 6e  64 6f 77 73 20 4e 54 20   6.0; Win  
> dows NT
> 00e0  35 2e 31 29 0d 0a 48 6f  73 74 3a 20 67 6f 74 6d   5.1)..Ho  
> st: gotm
> 00f0  2e 63 69 76 66 61 6e 61  74 69 63 73 2e 6e 65 74   .civfana  
> tics.net
> 0100  0d 0a 49 66 2d 4d 6f 64  69 66 69 65 64 2d 53 69   ..If-Mod  
> ified-Si
> 0110  6e 63 65 3a 20 46 72 69  2c 20 31 37 20 4a 61 6e   nce: Fri ,  
> 17 Jan
> 0120  20 32 30 30 33 20 30 30  3a 35 30 3a 31 31 20 47    2003 00 : 
> 50:11 G
> 0130  4d 54 0d 0a 41 63 63 65  70 74 3a 20 2a 2f 2a 0d   MT..Acce  
> pt: */*.
> 0140  0a 52 65 66 65 72 65 72  3a 20 68 74 74 70 3a 2f   .Referer :  
> http:/
> 0150  2f 77 77 77 2e 63 69 76  66 61 6e 61 74 69 63 73   /www.civ  
> fanatics
> 0160  2e 63 6f 6d 2f 0d 0a 41  63 63 65 70 74 2d 4c 61   .com/..A  
> ccept-La
> 0170  6e 67 75 61 67 65 3a 20  6e 6f 0d 0a 43 6f 6e 6e   nguage:   
> no..Conn
> 0180  65 63 74 69 6f 6e 3a 20  4b 65 65 70 2d 41 6c 69   ection:   
> Keep-Ali
> 0190  76 65 0d 0a 0d 0a                                  ve....
>
> Perfmon shows no sign of the sensor being stressed, both mbit/sec  
> and packet loss are
> producing normal numbers. No peaks whatsoever.
>
> Anyone else experienced FPs on these signatures?
>
> Thanks!
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's  
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list