Snort mailing list archives
Re: GID3 SID16408 False Positives
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 9 Feb 2010 17:46:48 -0500
Evilghost-- Best way to troubleshoot these is to provide VRT with a pcap of the traffic so they can troubleshoot the rule. -- Joel Esler 302-223-5974 Sent from my iPhone On Feb 9, 2010, at 5:25 PM, "evilghost () packetmail net" <evilghost () packetmail net
wrote:
I am seeing this false heavily against TCP sport 80/sport 443 sourced from known trusted Internet hosts such as Thompson Reuters. What information can I provide to the VRT team to better reduce this false positive since I have no visibility into this GID3 signature. The stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which really expands the scope of this signature and it's false positive potential. Are others also seeing this? Even more odd is I do not see this signature announced in the VRT update. Change log is blank due to these being GID 3 so I'm going on information in the announcement email which doesn't seem to cover this. The announcement email shows 16405 for MS10-009 yet the stub rule shows 16408, if I understand it correctly. Also please note this is IPv4 traffic, established, not IPv6. Any insight, comments, etc is appreciated. Troubleshooting this is difficult due to the lack of information and what appears to be inconsistent/inaccurate information in the announcement email. Thanks in advance, -evilghost --- --- --- --------------------------------------------------------------------- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- GID3 SID16408 False Positives evilghost () packetmail net (Feb 09)
- Re: GID3 SID16408 False Positives Joel Esler (Feb 09)
- Re: GID3 SID16408 False Positives evilghost () packetmail net (Feb 09)
- Re: GID3 SID16408 False Positives evilghost () packetmail net (Feb 09)
- Message not available
- Re: GID3 SID16408 False Positives evilghost () packetmail net (Feb 10)
- Re: GID3 SID16408 False Positives evilghost () packetmail net (Feb 09)
- Re: GID3 SID16408 False Positives Joel Esler (Feb 09)
- Re: GID3 SID16408 False Positives Joel Esler (Feb 09)