[Snort-sigs] False positive generated on SID 2329

From: Jonathon Leszczynski <jonalesz(at)med.umich.edu>
Date: Fri Mar 19 2004 - 11:05:47 EST

Here is a sample of what I reported before as a false positive  

  Meta ID #TimeTriggered Signature1 - 1852004-03-12 23:48:06url[bugtraq][cve][icat][snort] MS-SQL probe response overflow attemptSensornameinterfacefilterWSVM1006:DeviceNPF_{96D8CB44-417E-4CE2-972C-2A38F26C9561}DeviceNPF_{96D8CB44-417E-4CE2-972C-2A38F26C9561} none Alert
Group none IP source addr dest addr VerHdr LenTOSlengthIDflagsoffsetTTLchksum172.20.1.252141.214.154.964508772170012618974FQDNSource NameDest.
Names-umhs-dns3.med.umich.eduWSVM1006.umhs.med.umich.eduOptions none

UDPsource portdest portlength53102767Payload  length = 59000 : 05 C4 81
80 00 01 00 01 00 00 00 00 06 75 6D 68   .............umh010 : 73 30 31
04 75 6D 68 73 03 6D 65 64 05 75 6D 69   s01.umhs.med.umi020 : 63 68 03
65 64 75 00 00 01 00 01 C0 0C 00 01 00   ch.edu..........030 : 01 00 00
0D 3B 00 04 AC 14 5C BC                  ....;....\.

>>> Jonathon Leszczynski 9:16:22 AM 09-Mar-04 >>>

 Jonathon Leszczynski
MCIT 734-764-5725
JonaLesz@med.umich.edu
# This is a template for submitting snort signature descriptions to# the snort.org website## Ensure that your descriptions are your own# and not the work of others. References in the rules themselves# should be used for linking to other's work. ## If you are unsure of some part of a rule, use that as a commentary# and someone else perhaps will be able to fix it.# # $Id$## Rule: --Sid: 2329 --Summary: (as already written)--Impact: Serious. (as already written)--Detailed Information: (as already written)--Affected Systems: (as already written)--Attack Scenarios: (as already written)--Ease of Attack: (as already written)--False Positives: When using ACID, and when ACID does it's reverse lookups (easier to replicate when many reverse lookups are occuring.), the returned information appears to SNORT to be this kind of attack. When the network is busy, I have been able to replicate this at will. The source IP will show up as coming from UDP port 53 from the DNS in making the "attack".--False Negatives: (as already written)--Corrective Action: (as already written)--Contributors: (as already written) plus Jon Leszczynski-- Additional References: (as already written)Jonathon Leszczynski
MCIT 734-764-5725
JonaLesz@med.umich.edu

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Mar 22 09:40:59 2004