Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Possible False Positive on SID 2381???

from [Seth Art] Network Security [Permanent Link]
Subject: [Snort-sigs] Possible False Positive on SID 2381???
Date: Wed, 10 Nov 2004 08:16:45 -0800 (PST) 
Attached is a PCAP of the offending packet.  The destination was a webserver on 
our DMZ. 
The SID that fired is "WEB-MISC schema overflow attempt" with the listed 
affected system
being Checkpoint Firewall-1.  

When looking at the pcap payload i see "pdf" a couple of times.  "adobe" a 
couple of
times.  So i am guessing it's a false positive.  But i don't know.  I am still a
beginner.    

I am attaching the only other PCAP I have from the same source if that will 
help.  
(it triggered (http_inspect) BARE BYTE UNICODE ENCODING).

Again, i am not sure if this is a false positive or was an actual intrusion 
atempt (we
are patched and not affected by the supposed vuln anyway) but i would like to 
know!   

Any help/advice/requests for more info (that maybe i know know i have) are 
welcome and
appreciated!  

Side (dumb) question.  Say I was vulnerable to this checkpoint firewall attack. 
 Would a
packet destined to the webserver on the DMZ do damage to the firewall just 
because it
passes though it... or would the packet have to be destined for the actually 
firewall. 
Thanks for the help!

-Seth

  

=====



                
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com

Attachment: checkpoint.log
Description: checkpoint.log

Attachment: bare_byte.log
Description: bare_byte.log

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Possible False Positive on SID 2381???, Seth Art <=
Previous by Date:  Re: [Snort-sigs] Bleedingsnort.com Daily Update, Matt Jonkman
Next by Date:  [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer, Russell Fulton
Previous by Thread:  [Snort-sigs] Korgo.X, Rowland, Krisa W ERDC-ITL-MS Contractor
Next by Thread:  [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]