Well, I can understand your desire for privacy, certainly; my request
for pcaps going to the list was made more as a policy sort of thing --
so that, in essence, we don't end up fragmenting snort-sigs into a
million different private discussions.
Given that your objection seems to rest on privacy, though, have you
seen the -O flag to Snort, which obfuscates IP addresses for
circumstances like this? You could easily just do that; if there's other
identifying information, either just go through with Netdude or another
packet-modifying tool and obfuscate that, or if that's not feasible,
just send them to Sourcefire privately. We don't mind accomodating a
request for privacy like that; like I said, it's more of a general
policy issue that, whenever possible, things should be kept on-list, so
as to not fragment the discussion.
Alex Kirk
Research Analyst
Sourcefire, Inc.
I understand that my report is pretty useless without corraborating
information, but in the interest of security I chose not to distribute
the pcaps to the list, since they contain my IPs and other identifying
information. I did say that I'll be more than happy to provide the
pcaps to the snort team, but I didn't want to just fire off the email
to you guys (snort/sourcefire), and bypass the list. I'll send the
pcap to you directly.
I believe it's a false positive because it does not look like an
attack. It's coming from a desktop, directed to a server (actually
two different servers), but the timing is not consistent with an
attack, rather with normal MS communication. It's all some fuzzy
logic in my head, call it my gut feeling, but I am pretty sure it's
not an attack, and therefore a False Positive.
On Wed, 25 Aug 2004 11:52:43 -0400, Alex Kirk <alex.kirk@sourcefire.com> wrote:
Generally speaking, it's nice if you can provide details with a false
positive report -- like why you think it's a false positive, what (if
anything) you suspect may be causing it, and pcaps if appropriate. We're
more than happy to investigate these things, but just saying there's a
false positive associated with a rule gives us nowhere to even begin.
BTW, please send whatever details you may have to the list, so that more
eyes can be looking at them.
Alex Kirk
Research Analyst
Sourcefire, Inc.
I am using the newest 2.2 ruleset (as of yesterday) and seeing a fair
number of false positives on sid 2383 "NETBIOS SMB-DS DCERPC NTLMSSP
asn1 overflow attempt"
Anyone else?
I can provide pcaps to the snort/sourcefire team if need be.
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
