Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Add false positive entry to rule 1:2003

from [Lyndon Tiu] Network Security [Permanent Link]
Subject: [Snort-sigs] Add false positive entry to rule 1:2003
Date: Mon, 30 Aug 2004 15:21:20 -0700 

Rule:  MS-SQL Worm propagation attempt

--
Sid: 1:2003

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

ICMP port 1434 unreacheable packets are sent out triggering an alert when the 
packet is benign. Please see attached ACID report.

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:


--
Lyndon Tiu
ACID
 		Alert
Home  
Search   |   AG Maintenance
Back ]

 Queried DB on : Mon August 30, 2004 15:04:10
Meta Criteria    any   
IP Criteria    any   
Layer 4 Criteria    none
Payload Criteria    any   
Added 0 alert(s) to the Alert cache

Alert #12
   
Meta
ID # Time Triggered Signature
2 - 2402 2004-08-30 14:46:17 nessusurl[cve][icat][bugtraq][bugtraq][snort] MS-SQL Worm propagation attempt
Sensor name interface filter
ids1.latitudegeo.com:eth1 eth1  none 
Alert
Group		   none 
IP
source addr   dest addr   Ver Hdr Len TOS length ID flags offset TTL chksum
24.68.236.218 67.38.37.3 4 5 0 56 13254 0 0 128 39351
FQDN Source Name Dest. Name
 Unable to resolve address  adsl-67-38-37-3.dsl.ipltin.ameritech.net
Options     none
ICMP
type code checksum id seq #
(3) Destination Unreachable (3) Port Unreachable 11743
Payload 
 length = 32

000 : 00 00 00 00 45 00 01 94 6F B3 00 00 74 11 68 5E   ....E...o...t.h^
010 : 43 26 25 03 18 44 EC DA 04 D8 05 9A 01 80 C3 2B   C&%..D.........+
ProtocolOrg.Source
IP		Org.Source
Name		Org.Source
Port		Org.Destination
IP		Org.Destination
Name		Org.Destination
Port
UDP67.38.37.3adsl-67-38-37-3.dsl.ipltin.ameritech.net124024.68.236.218 Unable to resolve address 1434

   
Action
{ action } ADD to AG (by ID) Add to AG (by Name) Create AG (by Name) Delete alert(s) Email alert(s) (full) Email alert(s) (summary) Archive alert(s) (copy) Archive alert(s) (move)

[Loaded in 0 seconds]

ACID v0.9.6b23 ( by Roman Danyliw as part of the AirCERT project )

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Add false positive entry to rule 1:2003, Lyndon Tiu <=
Previous by Date:  Re: [Snort-sigs] Connecting signatures?, Chris Kronberg
Next by Date:  [Snort-sigs] Akak trojan signatures, Joe Stewart
Previous by Thread:  [Snort-sigs] snort-rules update @ Fri Aug 27 15:15:43 2004, bmc
Next by Thread:  [Snort-sigs] Akak trojan signatures, Joe Stewart
Indexes:  [Date] [Thread] [Top] [All Lists]