Snort mailing list archives

Re: False positive

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 18 Jul 2005 16:43:04 -0400

Angelita de Cássia Corrêa wrote:

Can I consider some false positives or really attempts in the alerts below?

(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING

> attempted-recon: (http_inspect) DOUBLE DECODING ATTACK

If you see these going to YOUR webserver, probably, unless you use very odd URIsthat aren't supported by all servers.

If it's coming from your clients going to outside servers, it is probably not anattack. You can't really expect to know what URIs outside sites useintentionally in their own URLs. Some use really long URIs, encoded URI, etc.

You should consider setting up http_inspect to only watch traffic to yourservers, and set it's limits to match what your server can handle. Seesnort.conf and doc/README.http_inspect.


> non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING

That seems odd, but I don't know much about it. Could be cause by a nonstandardservice being used over port 80. (check to see if the IP of yours is runningsomething like accessmypc, or other oddball tunnels over port 80.)

(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths

Very strange, but likely to be random corrupted garbage packets. See if itcorrelates with other probes or activity from the same IP. Check yourserverlogs, etc.

misc-activity: ICMP PING CyberKit 2.2 Windows

No, that's an informational rule. Someone used cyberkit to perform a ping sortsaw. That's slightly suspicious as it's an oddball tool, but it is not anattack. It *could* be recon, so keep an eye on that IP for attacks.


> attempted-dos: ICMP PATH MTU denial of service

That's either a broken router, or someone trying to DoS you by closing up thepath MTU to something tiny.




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: False positive Angelita de Cássia Corrêa (Jul 18)
- Re: False positive Matt Kettler (Jul 18)
- SYN Proxy Xavier Cabrera (Jul 19)
  - Re: SYN Proxy Jason Brvenik (Jul 19)
  - Re: SYN Proxy Matt Kettler (Jul 19)
    - Re: SYN Proxy Will Metcalf (Jul 19)
    - Re: SYN Proxy Xavier Cabrera (Jul 19)
    - Re: SYN Proxy Matt Kettler (Jul 20)
    - Re: SYN Proxy Daniel Cid (Jul 20)
    - Re: SYN Proxy Xavier Cabrera (Jul 20)
- <Possible follow-ups>
- RE: False positive Briggs, Bruce (Jul 18)