Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] sid 2586 False positive documentation

from [Burtoft, Jim] Network Security [Permanent Link]
Subject: [Snort-sigs] sid 2586 False positive documentation
Date: Tue, 15 Feb 2005 13:12:44 -0500 
Message:  P2P eDonkey transfer
 
False positives:  This rule triggers when there is any traffic that has a 
source port of 4242 and the first hex byte is E3.  In our shop, this seems to 
happen regularly (once or twice a week) in SSL communication sessions 
(destination port 443) that just happen to have been dynamically assigned a 
source port of 4242.
 
I am not sure is this is characteristic of our network, or just the fact that 
any encrypted communication has an approximately 1/256 chance of beginning with 
the byte E3 (assuming encrypted traffic emulates a random distribution).  Of 
course, it only triggers the alert when the source port happens to be 4242 
(perhaps soon after the client reboots?).
 
Jim


This message and any included attachments are confidential, and are intended 
for the use of the addressee(s).  Unauthorized review, forwarding, printing, 
copying, distributing, or other such uses is strictly prohibited and may be 
unlawful.  If you received this message in error, or believe you are not 
authorized to receive it, please promptly delete this message and notify the 
sender of the error.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] sid 2586 False positive documentation, Burtoft, Jim <=
Previous by Date:  Re: [Snort-sigs] OT: cleanup in Bleeding edge rules, Matt Jonkman
Next by Date:  [Snort-sigs] Assessing your malware exposure with Snort, particle . bored
Previous by Thread:  [Snort-sigs] Bleeding rules virus and threshold issue, James Lay
Next by Thread:  [Snort-sigs] Assessing your malware exposure with Snort, particle . bored
Indexes:  [Date] [Thread] [Top] [All Lists]