[Snort-users] FPs on 13711-13713

Castle, Shane scastle at ...14946...
Fri Aug 27 11:07:56 EDT 2010


The problem seems to be the client port chosen by the application, which
often is 3306, and it connects to 5222 on the chat server. So, these
rules trigger on the replies from the server to the client. I did only
cursory examination of these events.

I don't see a quick way of dealing with this if an ephemeral 3306 is
chosen by the client. The rules have "flow:established,to_server"
already (so why did this trigger?). I wonder if the only way might be to
find some additional signature component that's unique to the MySQL
traffic.

--
Shane Castle
Data Security Mgr, Boulder County IT
GSEC GCIH
303-441-3953

-----Original Message-----
From: waldo kitty [mailto:wkitty42 at ...14940...] 
Sent: Thursday, August 26, 2010 16:53
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] FPs on 13711-13713

On 8/26/2010 16:12, Castle, Shane wrote:
> The recently added rules 13711, 13712, and 13713 all exhibit FP
behavior
> for the google chat application, google Talk, using XMPP.

wow.. really??? that would seem to indicate that they are, in the first
place, 
using the mysql TCP port of 3306 for their communications... if so, that
doesn't 
seem nice at all...

those rules check for the non-existence of several flowbits... could
that be 
part of the problem if you have the rules that set those flowbits
disabled??

i do note that those rules do set flowbit sslv2.client_hello.request but
that's 
not one of the ones being checked...

> Attached are pcaps.

------------------------------------------------------------------------
------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users

worldwide. Take advantage of special opportunities to increase revenue
and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list