Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: False positive

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Mon, 18 Jul 2005 20:26:12 -0400
I only started seeing ICMP PATH MTU denial of service after the bad April version of MS MS05-019.
An updated version can out in June.

I expect these to largely disappear once everyone updates to the new version.

Bruce

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt 
Kettler
Sent: Monday, July 18, 2005 4:43 PM
To: Angelita de Cássia Corrêa
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] False positive

Angelita de Cássia Corrêa wrote:

Can I consider some false positives or really attempts in the alerts below?

(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING
attempted-recon: (http_inspect) DOUBLE DECODING ATTACK


If you see these going to YOUR webserver, probably, unless you use very odd URIs that aren't supported by all servers.

If it's coming from your clients going to outside servers, it is probably not an attack. You can't really expect to 
know what URIs outside sites use intentionally in their own URLs. Some use really long URIs, encoded URI, etc.

  You should consider setting up http_inspect to only watch traffic to your servers, and set it's limits to match what 
your server can handle. See snort.conf and doc/README.http_inspect.


non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING


That seems odd, but I don't know much about it. Could be cause by a nonstandard service being used over port 80. (check 
to see if the IP of yours is running something like accessmypc, or other oddball tunnels over port 80.)


(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths


Very strange, but likely to be random corrupted garbage packets. See if it correlates with other probes or activity 
from the same IP. Check your serverlogs, etc.



misc-activity: ICMP PING CyberKit 2.2 Windows


No, that's an informational rule. Someone used cyberkit to perform a ping sort saw. That's slightly suspicious as it's 
an oddball tool, but it is not an attack. It *could* be recon, so keep an eye on that IP for attacks.


attempted-dos: ICMP PATH MTU denial of service


That's either a broken router, or someone trying to DoS you by closing up the path MTU to something tiny.



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: