Snort mailing list archives
Re: FPs on 13711-13713
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Fri, 27 Aug 2010 09:07:56 -0600
The problem seems to be the client port chosen by the application, which often is 3306, and it connects to 5222 on the chat server. So, these rules trigger on the replies from the server to the client. I did only cursory examination of these events. I don't see a quick way of dealing with this if an ephemeral 3306 is chosen by the client. The rules have "flow:established,to_server" already (so why did this trigger?). I wonder if the only way might be to find some additional signature component that's unique to the MySQL traffic. -- Shane Castle Data Security Mgr, Boulder County IT GSEC GCIH 303-441-3953 -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Thursday, August 26, 2010 16:53 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] FPs on 13711-13713 On 8/26/2010 16:12, Castle, Shane wrote:
The recently added rules 13711, 13712, and 13713 all exhibit FP
behavior
for the google chat application, google Talk, using XMPP.
wow.. really??? that would seem to indicate that they are, in the first place, using the mysql TCP port of 3306 for their communications... if so, that doesn't seem nice at all... those rules check for the non-existence of several flowbits... could that be part of the problem if you have the rules that set those flowbits disabled?? i do note that those rules do set flowbit sslv2.client_hello.request but that's not one of the ones being checked...
Attached are pcaps.
------------------------------------------------------------------------ ------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FPs on 13711-13713 Castle, Shane (Aug 26)
- Re: FPs on 13711-13713 waldo kitty (Aug 26)
- Re: FPs on 13711-13713 Castle, Shane (Aug 27)
- Re: FPs on 13711-13713 waldo kitty (Aug 26)