Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] BACKDOOR NetMetro File List Signature False Positive

from [Nigel Houghton] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] BACKDOOR NetMetro File List Signature False Positive
Date: Fri, 27 Aug 2004 11:11:30 -0400 
On  0, "McCash, John" <John.McCash@andrew.com> allegedly wrote:

Here's a suggested update for the 'BACKDOOR NetMetro File List' signature, 
which lists a possible false positive that I've just observed.
              John McCash

 

False Positives       This rule can generate a false positive if a web 
request goes out on port 5032, and is responded to by a web server with a 
string containing '--'


Please check your $EXTERNAL_NET and $HOME_NET variables. This rule contains
a number of things that indicate your false positive condition does not
exist.

 1. $EXTERNAL_NET any -> $HOME_NET 5032 -- This means the direction of flow
 is from the outside to the inside and is destined for an inside
 destination port of 5032

 2. flow:to_server,established; -- This means the handshake is done from
 the outside to the inside and the session is set up (see 1)

 3. content:"--"; -- When sombined with 1 & 2, this means the "--" is in
 the stream from outside to inside.

Now, your false positive indicates that this rule would fire on a session
intiated from inside to an outside. Please make sure your variables are not
set to "any" in snort.conf and observe the rule some more. If you still
think you have false positives, send more details along with a packet
capture of the traffic causing the false positives.

+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-sigs] RE: Snort Rule Howto, Harper, Patrick
Next by Date:  Re: [Snort-sigs] Possible false positives for rule 1:1983, 1:1980 and 1:1981, Alex Kirk
Previous by Thread:  [Snort-sigs] BACKDOOR NetMetro File List Signature False Positive, McCash, John
Next by Thread:  [Snort-sigs] Possible false positives for rule 1:1983, 1:1980 and 1:1981, George Laiacona
Indexes:  [Date] [Thread] [Top] [All Lists]