Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Additional false positive for 1:1882 and 1:1292

from [Nigel Houghton] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Additional false positive for 1:1882 and 1:1292
Date: Thu, 14 Oct 2004 08:40:58 -0500 
On  0, "Burtoft, Jim" <jburtoft@blairtech.com> allegedly wrote:

This event will generate an event if the snort ruleset is sent through an 
unencrypted connection.  For example, the Backup Exec agent for Linux uses an 
unencrypted connection to send the data back to a Windows Backup Exec server, 
so this rule will generate multiple events during the course of a backup. 



Currently the false positive section for 1:1882 says:

"This rule will generate an event if a legitimate system administrator
executes the "id" command over an unencrypted connection"

I suspect your Linux Backup Exec Agent (whatever that is, I suspect it's
the old Veritas thing) performs some kind of id check when it does it's thing.

As for 1:1292 the false positive section states:

"The rule will generate an event if the string "Volume Serial Number"
appears in the content distributed by the web server, in which case the rule 
should be tuned."

I suspect a similar situation (although this false positive description
needs a little change), but without looking closely at the traffic
it's not possible to say exactly what is going on or how you can reduce
those false positives. 

Having said that, if your host with the agent and the server receiving the
data are both in your home net, and you have the $HOME_NET variable set
correctly, these rules should not generate events.

+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Cat: "Forget red - let's go all the way up to brown alert!"
 Kryten: "There's no such thing as a brown alert sir."
 Cat: "You won't be saying that in a minute!"


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] false positive on 1:469 ICMP PING NMAP, Chris Connell
Next by Date:  Re: [Snort-sigs] ZSH Exploit False Positive, Nigel Houghton
Previous by Thread:  [Snort-sigs] Additional false positive for 1:1882 and 1:1292, Burtoft, Jim
Next by Thread:  Re: [Snort-sigs] Additional false positive for 1:1882 and 1:1292, Brian
Indexes:  [Date] [Thread] [Top] [All Lists]