Snort mailing list archives
Re: False positive
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 18 Jul 2005 16:43:04 -0400
Angelita de Cássia Corrêa wrote:
Can I consider some false positives or really attempts in the alerts below? (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) IIS UNICODE CODEPOINT ENCODING
> attempted-recon: (http_inspect) DOUBLE DECODING ATTACKIf you see these going to YOUR webserver, probably, unless you use very odd URIs that aren't supported by all servers.
If it's coming from your clients going to outside servers, it is probably not an attack. You can't really expect to know what URIs outside sites use intentionally in their own URLs. Some use really long URIs, encoded URI, etc.
You should consider setting up http_inspect to only watch traffic to your servers, and set it's limits to match what your server can handle. See snort.conf and doc/README.http_inspect.
> non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODINGThat seems odd, but I don't know much about it. Could be cause by a nonstandard service being used over port 80. (check to see if the IP of yours is running something like accessmypc, or other oddball tunnels over port 80.)
(snort_decoder): Truncated Tcp Options (snort_decoder): Tcp Options found with bad lengths
Very strange, but likely to be random corrupted garbage packets. See if it correlates with other probes or activity from the same IP. Check your serverlogs, etc.
misc-activity: ICMP PING CyberKit 2.2 Windows
No, that's an informational rule. Someone used cyberkit to perform a ping sort saw. That's slightly suspicious as it's an oddball tool, but it is not an attack. It *could* be recon, so keep an eye on that IP for attacks.
> attempted-dos: ICMP PATH MTU denial of serviceThat's either a broken router, or someone trying to DoS you by closing up the path MTU to something tiny.
------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: False positive Angelita de Cássia Corrêa (Jul 18)
- Re: False positive Matt Kettler (Jul 18)
- SYN Proxy Xavier Cabrera (Jul 19)
- Re: SYN Proxy Jason Brvenik (Jul 19)
- Re: SYN Proxy Matt Kettler (Jul 19)
- Re: SYN Proxy Will Metcalf (Jul 19)
- Re: SYN Proxy Xavier Cabrera (Jul 19)
- Re: SYN Proxy Matt Kettler (Jul 20)
- Re: SYN Proxy Daniel Cid (Jul 20)
- Re: SYN Proxy Xavier Cabrera (Jul 20)
- <Possible follow-ups>
- RE: False positive Briggs, Bruce (Jul 18)