Re: [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer

Hugo van der Kooij wrote:

> On Fri, 12 Nov 2004, Chich Thierry wrote:
>
>  
>
> > Russell Fulton wrote:
> >
> >    
> >
> > > GEN:SID   1:2586
> > > Message  P2P eDonkey transfer
> > >
> > > Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (msg:"P2P eDonkey
> > > transfer"; flow:established; content:"|E3|"; depth:1;
> > > reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:1;)
> > >      
>
> I think that the any definition should be a range for high ports
> (1024-65535). This would prevent most false positives with normal
> applications.
>
> However I do not know if you may also get false negatives. (meaning: you
> may miss out traffic which you would have like to see reported.)
>
> Hugo.
>
>  
Actually, Hugo, specifying this sort of a high port range is likely to 
generate *more* false positives. The reason these false positives occur 
is that there's not much for the rule to trigger on (and having done 
some research into the protocol, I can tell you that reliably improving 
this rule is difficult, if not impossible), and as such they will hit on 
things like SSL traffic, which lives on a high port client-side.

Alex Kirk
Research Analyst
Sourcefire, Inc.


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs