Snort mailing list archives
Re: SiD:4129 - No FP - No FN but wrong
From: Crusty Saint <saintcrusty () gmail com>
Date: Tue, 29 Mar 2011 16:14:47 +0200
Just to make my rambling more clear. Sigh, so far i've not come to any pcap files yet, workload sucks with faaar less interesting stuff. Any people in Belgium looking for a motivated security analyst can send me an e-mail. 2011/3/29 Crusty Saint <saintcrusty () gmail com>
Hi Joel, I have rev:4 here, no updates are expected any time soon. For now there are just two occurences. Given your reply i'll have a look at the pcap and if still required forward you the data. Thanks for your constructive reply 2011/3/28 Joel Esler <jesler () sourcefire com>What rev of the rule are you running? The copy I have (4) has a content match, two byte jumps and a byte_test. Plus there is a specific port coded into it. That's fairly specific, but I see how a FP would occur. Do you have a pcap? Joel On Mar 28, 2011, at 11:08 AM, Crusty Saint wrote: Hi, For http://www.snort.org/search/sid/4129 "EXPLOIT Novell ZenWorks Remote Management Agent large login packet DoS attempt" i see no false-positive or false-negative reported but there possibly could be one now. Though the root-cause might well be PEBKAC. I think it is safe to assume such pebkac-positive would occur when a rule is active and applied on a network not using the specified service/protocol but i also hope snort's logic is sufficiently precise to eliminate such erronous detections. Based on what i've seen in the rule the detection is based on just two bytes so i assume the FP/FN rate to be much higher (? help ?) if used on a network without related traffic present. Best Regards, Saint Crusty -- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 28)
- Re: SiD:4129 - No FP - No FN but wrong rmkml (Mar 28)
- Re: SiD:4129 - No FP - No FN but wrong Joel Esler (Mar 28)
- Re: SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 29)
- Re: SiD:4129 - No FP - No FN but wrong Joel Esler (Mar 29)
- Re: SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 29)
- Re: SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 29)