Snort mailing list archives
Fwd: false positives
From: Vail () gmx net
Date: Tue, 7 Aug 2001 13:46:16 +0200 (MEST)
greetings, after i installed snort-1.8p1 on an openbsd box and configured some rules i get the following false positives (see below). I wonder what services could create such false positives... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [**] [1:530:2] NETBIOS NT NULL session [**] [Classification: Attempted Information Leak] [Priority: 3] 08/06-21:49:55.395977 0:50:4:48:2A:A6 -> 0:1:2:7:F2:1 type:0x800 len:0xEE 192.168.2.116:3152 -> 192.168.2.50:139 TCP TTL:128 TOS:0x1C ID:937 IpLen:20 DgmLen:224 DF ***AP*** Seq: 0xCA59 Ack: 0x37F46A8 Win: 0x21D9 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/1163] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2000-0347] [Xref => http://www.whitehats.com/info/IDS204] 192.168.2.116 just a NT 4.0 Client 192.168.2.50 Fileserver/PDC I think it could be some sort of process which uses IPC communications or something like that. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [**] [1:254:1] DNS SPOOF query response with ttl [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/07-14:49:28.183468 0:1:2:7:F2:1 -> 0:1:2:B5:53:8C type:0x800 len:0x5D 192.168.2.50:53 -> 192.168.2.68:2329 UDP TTL:128 TOS:0x0 ID:48283 IpLen:20 DgmLen:79 Len: 59 same situation as above, a client connects the pdc/fileserver. Nobody here is even aware of what DNS-Spoofing is... so it must be a false positive. What could it be? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**] 08/06-21:51:39.248579 0:50:4:48:2A:A6 -> 0:8:C7:28:B:A9 type:0x800 len:0x76 192.168.2.116:2992 -> 192.168.2.11:139 TCP TTL:128 TOS:0x1C ID:3516 IpLen:20 DgmLen:104 DF ***AP*** Seq: 0x1AA771 Ack: 0xF87316 Win: 0x2238 TcpLen: 20 [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 08/07-15:47:05.861621 0:50:4:48:2A:A6 -> 0:8:C7:1E:44:B0 type:0x800 len:0x1B8 192.168.2.116:1152 -> 213.83.6.2:80 TCP TTL:128 TOS:0x10 ID:44336 IpLen:20 DgmLen:426 DF ***AP*** Seq: 0x9BB2 Ack: 0xE7C2948E Win: 0x2238 TcpLen: 20 Where can i read more about alerts like this when thereĀ“s no Xref => ? Can someone explain this 2 please? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ my best regards marion -- Aufgepasst - jetzt viele 1&1 New WebHosting Pakete ohne Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung! http://puretec.de/index.html?ac=OM.PU.PU003K00736T0492a _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false positives Vail (Aug 07)
- Fwd: false positives Vail (Aug 07)