[Snort-users] False positives on mysql traffic

Al Lewis (allewi) allewi at ...589...
Tue Apr 28 15:52:30 EDT 2015


That's really not much to go on. Maybe someone on the boards can help out.

Thanks.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 [mailto:michael.jacobi1 at ...7622...] 
Sent: Tuesday, April 28, 2015 3:12 PM
To: Al Lewis (allewi); For Sinton
Cc: snort-users at lists.sourceforge.net
Subject: RE: False positives on mysql traffic

I am seeing this happen between a MySQL server and client.  I am not allowed to send a pcap, but the rule is: MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (sid 32609)

Mike Jacobi

________________________________________
From: Al Lewis (allewi) [allewi at ...589...]
Sent: Tuesday, April 28, 2015 7:37 AM
To: For Sinton
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] False positives on mysql traffic

Hello,

        Can you send us the pcap in binary format and the rule that is suspected of alerting incorrectly please?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...


-----Original Message-----
From: For Sinton [mailto:forsin at ...17149...]
Sent: Monday, April 27, 2015 11:54 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] False positives on mysql traffic


Hello
here is pcap traffic:
0000000: 41 00 00 00 03 53 45 4c 45 43 54 20 74   5f 5f 30 2e 2a 0a 46 52 4f 4d 20 0a 76  A....SELECT.t__0.*.FROM..v
000001A: 69 65 77 73 5f 76 69 65 77 20 74 5f 5f   30 0a 57 48 45 52 45 20 20 28 6e 61 6d  iews_view.t__0.WHERE..(nam
0000034: 65 20 49 4e 20 20 28 27 70 6f 6c 6c 73   27 29 29 20                             e.IN..('polls')).

----- Исходное сообщение -----
От: snort-users-request at lists.sourceforge.net
Кому: "forsin" <forsin at ...17149...>
Отправленные: Вторник, 28 Апрель 2015 г 9:52:50
Тема: Welcome to the "Snort-users" mailing list


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list