Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] false positive snort it 2329 ?

from [dara] Network Security [Permanent Link]
Subject: [Snort-sigs] false positive snort it 2329 ?
Date: Thu, 02 Dec 2004 21:30:57 +0000 
Hi


I didn't understand a lot of the stuff at the link for sending reports
to this list, so if anybody wants any more information just send me the
steps I need to go through to get it for you and I will gladly help.


I'll try to explain my system and the 'potential' false positive I
suspect, as best I can.


I am using SNORT via IPCOP, the  1.4.1 CD ISO of ipco and installed it.


I have the IDS turned on in IPCOP, which is using the  'snort' engine.


Today I got this in the IPCOP IDS log :


Date:
12/02 16:21:47
Name:
MS-SQL probe
response overflow
attempt
Priority:
1
Type:
Attempted User
Privilege Gain
IP info:
193.120.x.x:5000
-> 10.0.16.x:5000
References:
none found
SID:
2329
Date:
12/02 16:21:48
Name:
MS-SQL probe
response overflow
attempt
Priority:
1
Type:
Attempted User
Privilege Gain
IP info:
193.120.x.x:5000
-> 10.0.16.x:5000
References:
none found
SID:
2329
Date:
12/02 16:22:04
Name:
MS-SQL probe
response overflow
attempt
Priority:
1
Type:
Attempted User
Privilege Gain
IP info:
193.120.x.x:5000
-> 10.0.16.x:5000
References:
none found
SID:
2329

SID 2329 is a link to http://www.snort.org/snort-db/sid.html?sid=2329 



The reason I'm reporting this is because the port (5000) in question is
used for my VPN to my company.


The 192.120.x.x address is one of the companies external access points
(a router/firewall thingy)

My address in on an internal network (10.x.x.x).



So, I was about to send this off to the company saying that perhaps
their network is compromised, or somebody inside is messing about or
using the game mentiond o nyour site that could generate this alert.


Then I wondered how they could do so. It would mean either faking the
address and port as my vpn port, or taking over it ?

But I decided it couldn't be that latter as the vpn still worked.


I wonder then, the data is encrypted on the vpn tunnel, and so this
--could-- have simply being a coincidence where some packets of
encrypted data "looked like" attack packets ??????


Would you agree with this possibility of a false positive ?


Maybe you would ilke to put it on your site, maybe not, maybe it is a
problem at my company.

Hope this is useful.

regards

d









-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] false positive snort it 2329 ?, dara <=
Previous by Date:  [Snort-sigs] Reducing FPs by linking attacks to service versions, root
Next by Date:  Re: [Snort-sigs] Suggestions for new attack response rules, Matthew Jonkman
Previous by Thread:  [Snort-sigs] Reducing FPs by linking attacks to service versions, root
Next by Thread:  [Snort-sigs] need one help..., ALERT
Indexes:  [Date] [Thread] [Top] [All Lists]