From: "Rowland, Krisa W ERDC-ITL-MS" <Krisa.W.Rowland@erdc.usace.army.mil>
To: <snort-sigs@lists.sourceforge.net>
Subject: [Snort-sigs] unsubscribe
Date: Thu, 7 Jun 2007 13:55:27 -0500
-----Original Message-----
From: snort-sigs-bounces@lists.sourceforge.net
[mailto:snort-sigs-bounces@lists.sourceforge.net] On Behalf Of
snort-sigs-request@lists.sourceforge.net
Sent: Thursday, June 07, 2007 11:13 AM
To: snort-sigs@lists.sourceforge.net
Subject: Snort-sigs Digest, Vol 13, Issue 4
Send Snort-sigs mailing list submissions to
snort-sigs@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
snort-sigs-request@lists.sourceforge.net
You can reach the person managing the list at
snort-sigs-owner@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."
Today's Topics:
1. False positive on rule 10995 (Federico Petronio)
2. Re: False positive on rule 10158 (Matthew Watchinski)
3. Re: False positive on rule 10012 (Federico Petronio)
4. Re: False positive on rule 10995 (Federico Petronio)
----------------------------------------------------------------------
Message: 1
Date: Thu, 07 Jun 2007 11:30:17 -0300
From: Federico Petronio <petrus@activesec.biz>
Subject: [Snort-sigs] False positive on rule 10995
To: Snort Signatures List <snort-sigs@lists.sourceforge.net>
Message-ID: <46681679.4000403@activesec.biz>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
I would like to report this false positive on rule 10995.
Version of Snort
snort_inline 2.3.0
Rule SID and revision
10995. rev 1.
Command line options when starting snort
snort -c snort.conf.inline -Q -A none -q
The operating system being used
Debian Linux 3.1
A supporting packet capture that illustrates the false positive case:
length = 1368
000 : 5A 63 2F 37 62 48 62 48 67 47 70 4E 6E 6A 58 54 Zc/7bHbHgGpNnjXT
010 : 53 72 4D 67 47 59 64 76 37 4E 50 55 46 4E 66 6D SrMgGYdv7NPUFNfm
020 : 61 52 4C 67 53 67 41 55 42 54 48 38 50 68 66 67 aRLgSgAUBTH8Phfg
030 : 6C 2B 55 46 53 42 2B 67 0D 0A 4E 5A 6A 65 6D 5A l+UFSB+g..NZjemZ
040 : 51 38 4C 57 67 59 77 41 47 48 69 44 52 4C 4B 41 Q8LWgYwAGHiDRLKA
050 : 70 4D 39 73 51 51 41 44 34 41 52 47 77 6A 61 52 pM9sQQAD4ARGwjaR
060 : 4A 39 56 46 6F 48 30 6D 4A 74 2B 71 45 6F 39 62 J9VFoH0mJt+qEo9b
070 : 55 41 38 59 41 39 42 6F 32 73 76 4D 7A 4D 78 4D UA8YA9Bo2svMzMxM
080 : 4A 30 44 42 52 73 0D 0A 54 77 41 47 43 55 41 43 J0DBRs..TwAGCUAC
090 : 72 64 5A 37 75 47 33 43 30 42 44 41 54 6C 30 55 rdZ7uG3C0BDATl0U
0a0 : 71 42 37 61 56 35 45 35 41 45 52 71 5A 52 42 2B qB7aV5E5AERqZRB+
0b0 : 49 71 31 43 6B 6F 45 51 39 4E 45 51 7A 4D 41 51 Iq1CkoEQ9NEQzMAQ
0c0 : 42 53 70 62 69 4A 70 6E 37 73 4C 51 51 41 38 45 BSpbiJpn7sLQQA8E
0d0 : 7A 76 49 4A 0D 0A 51 51 42 45 65 6E 41 50 4B 51 zvIJ..QQBEenAPKQ
0e0 : 51 52 4C 78 51 43 42 49 34 4B 70 6E 65 4A 31 61 QRLxQCBI4KpneJ1a
0f0 : 4B 30 49 51 34 79 63 79 49 35 78 76 46 43 30 42 K0IQ4ycyI5xvFC0B
100 : 53 6F 48 2F 72 42 70 55 59 41 52 43 54 6F 6A 77 SoH/rBpUYARCTojw
110 : 46 2B 35 49 44 79 4A 31 77 54 4C 78 51 42 41 41 F+5IDyJ1wTLxQBAA
120 : 61 45 0D 0A 41 55 34 7A 61 38 58 79 64 41 77 2B aE..AU4za8XydAw+
130 : 55 41 2F 77 75 79 4D 4A 51 41 69 35 4A 52 73 67 UA/wuyMJQAi5JRsg
140 : 73 51 4A 63 4D 67 52 35 56 4B 67 66 30 4B 46 52 sQJcMgR5VKgf0KFR
150 : 70 68 4A 2F 4A 44 6F 6B 41 51 75 41 43 65 36 61 phJ/JDokAQuACe6a
160 : 79 6E 73 53 64 41 77 70 44 41 6E 68 74 55 51 53 ynsSdAwpDAnhtUQS
170 : 0D 0A 41 7A 67 65 6B 73 4D 45 4C 6D 52 46 5A 68 ..AzgeksMELmRFZh
180 : 4A 50 64 36 45 32 66 79 6D 6F 46 54 42 49 41 67 JPd6E2fymoFTBIAg
190 : 4D 44 5A 59 5A 4D 61 32 4B 77 4E 67 51 67 62 61 MDZYZMa2KwNgQgba
1a0 : 64 4D 48 75 36 43 55 7A 62 4F 73 37 65 68 7A 49 dMHu6CUzbOs7ehzI
1b0 : 42 59 70 77 76 33 34 42 78 6E 76 73 4E 61 0D 0A BYpwv34BxnvsNa..
1c0 : 41 5A 72 37 76 6C 6E 4D 6F 6C 43 7A 41 74 37 55 AZr7vlnMolCzAt7U
1d0 : 36 4C 50 71 52 72 39 42 6E 36 48 4D 67 46 70 78 6LPqRr9Bn6HMgFpx
1e0 : 32 75 64 35 43 67 4A 63 76 76 67 4C 6E 72 34 36 2ud5CgJcvvgLnr46
1f0 : 43 42 63 35 6A 49 43 49 58 67 41 54 5A 79 54 38 CBc5jICIXgATZyT8
200 : 49 64 6A 46 6B 62 62 48 68 6F 74 61 0D 0A 42 47 IdjFkbbHhota..BG
210 : 4F 33 30 50 49 49 35 75 72 4B 59 38 6F 49 72 72 O30PII5urKY8oIrr
220 : 4B 41 75 6A 61 59 38 75 70 4D 2B 76 76 49 57 69 KAujaY8upM+vvIWi
230 : 65 42 4B 34 41 6C 69 42 5A 56 44 64 4B 49 75 67 eBK4AliBZVDdKIug
240 : 59 41 55 57 6B 78 35 51 52 58 57 55 41 6B 35 43 YAUWkx5QRXWUAk5C
250 : 6B 4A 71 30 50 39 53 5A 39 63 0D 0A 4F 7A 77 72 kJq0P9SZ9c..Ozwr
260 : 41 45 54 47 5A 76 4F 42 4A 43 4A 77 45 59 41 6E AETGZvOBJCJwEYAn
270 : 42 41 54 4E 71 61 45 61 72 58 75 4B 4A 34 42 6F BATNqaEarXuKJ4Bo
280 : 64 2F 4A 72 48 71 59 58 4C 53 69 42 69 45 35 59 d/JrHqYXLSiBiE5Y
290 : 47 41 41 50 33 4F 41 32 32 58 74 47 73 31 6F 41 GAAP3OA22XtGs1oA
2a0 : 49 6D 76 2B 2F 6F 72 41 0D 0A 73 6F 46 69 4A 72 Imv+/orA..soFiJr
2b0 : 6A 53 73 61 56 71 54 50 72 70 42 42 41 78 41 45 jSsaVqTPrpBBAxAE
2c0 : 48 4E 49 2B 6E 66 67 52 49 34 46 77 41 4E 30 34 HNI+nfgRI4FwAN04
2d0 : 6C 73 57 43 42 58 50 61 30 41 58 4F 78 44 6E 4A lsWCBXPa0AXOxDnJ
2e0 : 74 64 57 55 43 77 6F 6E 51 55 79 30 4F 50 38 50 tdWUCwonQUy0OP8P
2f0 : 36 53 47 41 6E 50 0D 0A 4B 69 4D 33 45 6A 74 2B 6SGAnP..KiM3Ejt+
300 : 76 37 41 4E 49 73 41 51 41 41 66 53 69 64 4F 30 v7ANIsAQAAfSidO0
310 : 78 69 73 56 72 51 44 77 65 4E 64 32 42 64 78 5A xisVrQDweNd2BdxZ
320 : 51 4C 4C 76 35 41 63 4F 67 4B 2F 6F 30 67 30 49 QLLv5AcOgK/o0g0I
330 : 43 4B 45 4E 67 6C 67 79 41 41 66 53 63 41 4D 71 CKENglgyAAfScAMq
340 : 67 39 38 68 0D 0A 72 51 43 49 44 61 47 73 61 4A g98h..rQCIDaGsaJ
350 : 78 5A 51 4C 44 76 4C 67 33 71 34 68 2F 73 30 67 xZQLDvLg3q4h/s0g
360 : 32 56 7A 79 65 64 46 49 49 69 35 4B 45 41 42 6A 2VzyedFIIi5KEABj
370 : 70 73 6F 79 2B 4C 45 61 30 41 4B 75 53 34 32 50 psoy+LEa0AKuS42P
380 : 73 62 57 6B 43 77 4F 30 36 6F 56 48 6F 33 34 43 sbWkCwO06oVHo34C
390 : 57 63 0D 0A 46 41 51 39 68 5A 55 33 41 45 54 65 Wc..FAQ9hZU3AETe
3a0 : 62 6B 75 43 70 4D 53 68 41 42 50 66 63 42 33 78 bkuCpMShABPfcB3x
3b0 : 78 76 59 4C 57 67 56 42 6A 33 77 61 67 35 46 74 xvYLWgVBj3wag5Ft
3c0 : 53 42 47 4B 62 42 69 30 67 4F 74 53 42 47 4C 6F SBGKbBi0gOtSBGLo
3d0 : 59 43 63 38 71 6C 51 50 37 5A 46 31 72 55 36 43 YCc8qlQP7ZF1rU6C
3e0 : 0D 0A 69 47 63 47 5A 75 54 38 49 64 76 77 79 63 ..iGcGZuT8Idvwyc
3f0 : 6F 57 5A 41 34 48 6A 6A 79 4C 4B 36 4B 74 78 43 oWZA4HjjyLK6KtxC
400 : 55 35 74 45 51 4F 41 32 70 55 44 2B 52 50 32 36 U5tEQOA2pUD+RP26
410 : 71 42 67 79 55 6F 6C 42 77 43 32 48 4A 43 6F 59 qBgyUolBwC2HJCoY
420 : 5A 6B 44 41 41 46 6A 32 33 6F 63 59 47 73 0D 0A ZkDAAFj23ocYGs..
430 : 50 6A 72 6D 2F 42 71 30 67 4E 73 50 6A 72 6E 71 Pjrm/Bq0gNsPjrnq
440 : 56 41 2F 6E 44 39 47 70 4E 49 4D 69 54 45 38 43 VA/nD9GpNIMiTE8C
450 : 61 62 72 49 6E 66 74 49 51 51 30 59 77 74 70 44 abrInftIQQ0YwtpD
460 : 67 31 74 61 51 4C 50 38 69 67 42 4F 62 47 50 59 g1taQLP8igBObGPY
470 : 69 6A 51 2F 33 42 41 42 57 41 67 41 0D 0A 43 34 ijQ/3BABWAgA..C4
480 : 4F 6C 64 43 48 53 73 4B 48 75 4D 36 64 42 72 51 OldCHSsKHuM6dBrQ
490 : 42 59 47 49 52 56 4D 5A 6C 61 51 4C 46 6C 7A 56 BYGIRVMZlaQLFlzV
4a0 : 52 45 59 70 50 4D 6E 41 73 44 35 78 46 48 41 45 REYpPMnAsD5xFHAE
4b0 : 42 44 49 36 55 69 67 79 49 6F 4D 41 41 4F 6C 64 BDI6UigyIoMAAOld
4c0 : 59 74 76 33 6B 77 56 73 51 46 0D 0A 59 37 4F 6F Ytv3kwVsQF..Y7Oo
4d0 : 47 50 68 56 6C 41 74 30 52 67 71 74 74 48 44 5A GPhVlAt0RgqttHDZ
4e0 : 58 4D 74 4F 46 4C 42 34 44 38 41 6A 57 52 51 77 XMtOFLB4D8AjWRQw
4f0 : 6A 41 45 4E 4F 67 2F 51 52 77 50 54 45 6C 51 4A jAENOg/QRwPTElQJ
500 : 53 48 54 6C 52 59 64 64 66 79 64 38 45 67 41 69 SHTlRYddfyd8EgAi
510 : 68 53 56 32 49 64 47 61 0D 0A 62 66 71 68 4B 6C hSV2IdGa..bfqhKl
520 : 57 78 41 4D 71 72 43 37 62 2B 4C 31 74 41 67 50 WxAMqrC7b+L1tAgP
530 : 75 51 74 73 6F 79 67 6A 51 4D 34 75 61 55 35 63 uQtsoygjQM4uaU5c
540 : 6A 4D 45 45 41 30 69 45 7A 66 33 7A 5A 45 6B 42 jMEEA0iEzf3zZEkB
550 : 53 5A 38 6F 42 32 66 53 SZ8oB2fS
Contact email
petrus@activesec.biz
Some text that clearly explains why you think this is a false positive
case
The rule intercepted trusted traffic between two Windows servers of
the organization
--
Federico Petronio
petrus@activesec.biz
------------------------------
Message: 2
Date: Thu, 07 Jun 2007 11:31:16 -0400
From: Matthew Watchinski <mwatchinski@sourcefire.com>
Subject: Re: [Snort-sigs] False positive on rule 10158
To: Federico Petronio <petrus@activesec.biz>
Cc: Snort Signatures List <snort-sigs@lists.sourceforge.net>
Message-ID: <466824C4.8060006@sourcefire.com>
Content-Type: text/plain; charset=ISO-8859-1
This rule will be deleted. Use the SO rule, gid 3,sid 10161
Federico Petronio wrote:
Hello,
I would like to report this false positive on rule 10158.
Version of Snort
snort_inline 2.3.0
Rule SID and revision
10158. rev 3.
Command line options when starting snort
snort -c snort.conf.inline -Q -A none -q
The operating system being used
Debian Linux 3.1
A supporting packet capture that illustrates the false positive case:
length = 140
000 : 00 00 00 88 FF 53 4D 42 2F 00 00 00 00 18 07 C8 .....SMB/.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 03 08 FF FE ................
020 : 02 20 40 0B 0E FF 00 DE DE 03 40 00 00 00 00 FF . @.......@.....
030 : FF FF FF 08 00 48 00 00 00 48 00 40 00 00 00 00 .....H...H.@....
040 : 00 49 00 EE 05 00 0B 03 10 00 00 00 48 00 00 00 .I..........H...
050 : 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 ................
060 : 00 00 01 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 .....O2Kp....xZG
070 : BF 6E E1 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 .n.......]......
080 : 9F E8 08 00 2B 10 48 60 02 00 00 00 ....+.H`....
Contact email (we may have a need for more information)
petrus@activesec.biz
Some text that clearly explains why you think this is a false positive
case
The rule intercepted normal traffic between two Windows servers of
the organization
------------------------------
Message: 3
Date: Thu, 07 Jun 2007 13:10:51 -0300
From: Federico Petronio <petrus@activesec.biz>
Subject: Re: [Snort-sigs] False positive on rule 10012
To: rmkml <rmkml@free.fr>
Cc: Snort Signatures List <snort-sigs@lists.sourceforge.net>
Message-ID: <46682E0B.6080802@activesec.biz>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
the rule is:
drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Microsoft
Outlook VEVENT non-TZID overflow attempt"; flow:to_server,established;
content:"DTSTART|3B|"; nocase; content:!"value"; within:5; nocase;
content:!"TZID"; within:4; nocase; reference:bugtraq,21931;
reference:cve,2007-0033;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-003.mspx;
classtype:attempted-user; sid:10012; rev:1;)
Regards,
rmkml wrote:
Hi Federico,
please send rule sid 10012.
Regards
Rmkml
On Thu, 7 Jun 2007, Federico Petronio wrote:
Date: Thu, 07 Jun 2007 11:30:11 -0300
From: Federico Petronio <petrus@activesec.biz>
To: Snort Signatures List <snort-sigs@lists.sourceforge.net>
Subject: [Snort-sigs] False positive on rule 10012
Hello,
I would like to report this false positive on rule 10012.
Version of Snort
snort_inline 2.3.0
Rule SID and revision
10012. rev 1.
Command line options when starting snort
snort -c snort.conf.inline -Q -A none -q
The operating system being used
Debian Linux 3.1
A supporting packet capture that illustrates the false positive case:
0000000: 4163 6569 6b35 6f35 566f 3468 4350 314e Aceik5o5Vo4hCP1N
0000010: 5431 7552 4742 344b 5359 4768 4d51 4141 T1uRGB4KSYGhMQAA
0000020: 4141 3067 4141 4146 7545 4141 4147 4e4f AA0gAAAFuEAAAGNO
0000030: 4141 3d3d 0d0a 4672 6f6d 3a20 2278 7878 AA==..From: "xxx
0000040: 7878 7878 7878 7878 7822 203c 7878 7878 xxxxxxxxx" <xxxx
0000050: 7878 7878 7878 7840 7878 7878 7878 3e0d xxxxxxx@xxxxxx>.
0000060: 0a54 6f3a 2022 7878 7878 7878 7878 7878 .To: "xxxxxxxxxx
0000070: 7878 7878 7878 7878 7822 203c 7878 7878 xxxxxxxxx" <xxxx
0000080: 7878 7840 7878 7878 7878 7878 783e 0d0a xxx@xxxxxxxxx>..
0000090: 0d0a 5468 6973 2069 7320 6120 6d75 6c74 ..This is a mult
00000a0: 692d 7061 7274 206d 6573 7361 6765 2069 i-part message i
00000b0: 6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a n MIME format...
00000c0: 0d0a 2d2d 2d2d 2d2d 5f3d 5f4e 6578 7450 ..------_=_NextP
00000d0: 6172 745f 3030 315f 3031 4337 4132 3935 art_001_01C7A295
00000e0: 2e33 4538 4341 3942 430d 0a43 6f6e 7465 .3E8CA9BC..Conte
00000f0: 6e74 2d54 7970 653a 2074 6578 742f 706c nt-Type: text/pl
0000100: 6169 6e3b 0d0a 0963 6861 7273 6574 3d22 ain;...charset="
0000110: 6973 6f2d 3838 3539 2d31 220d 0a43 6f6e iso-8859-1"..Con
0000120: 7465 6e74 2d54 7261 6e73 6665 722d 456e tent-Transfer-En
0000130: 636f 6469 6e67 3a20 7175 6f74 6564 2d70 coding: quoted-p
0000140: 7269 6e74 6162 6c65 0d0a 0d0a 0d0a 2d2d rintable......--
0000150: 2d2d 2d2d 5f3d 5f4e 6578 7450 6172 745f ----_=_NextPart_
0000160: 3030 315f 3031 4337 4132 3935 2e33 4538 001_01C7A295.3E8
0000170: 4341 3942 430d 0a43 6f6e 7465 6e74 2d54 CA9BC..Content-T
0000180: 7970 653a 2074 6578 742f 6874 6d6c 3b0d ype: text/html;.
0000190: 0a09 6368 6172 7365 743d 2269 736f 2d38 ..charset="iso-8
00001a0: 3835 392d 3122 0d0a 436f 6e74 656e 742d 859-1"..Content-
00001b0: 5472 616e 7366 6572 2d45 6e63 6f64 696e Transfer-Encodin
00001c0: 673a 2071 756f 7465 642d 7072 696e 7461 g: quoted-printa
00001d0: 626c 650d 0a0d 0a3c 4d45 5441 2048 5454 ble....<META HTT
00001e0: 502d 4551 5549 563d 3344 2243 6f6e 7465 P-EQUIV=3D"Conte
00001f0: 6e74 2d54 7970 6522 2043 4f4e 5445 4e54 nt-Type" CONTENT
0000200: 3d33 4422 7465 7874 2f68 746d 6c3b 203d =3D"text/html; =
0000210: 0d0a 6368 6172 7365 743d 3344 6973 6f2d ..charset=3Diso-
0000220: 3838 3539 2d31 223e 0d0a 0d0a 2d2d 2d2d 8859-1">....----
0000230: 2d2d 5f3d 5f4e 6578 7450 6172 745f 3030 --_=_NextPart_00
0000240: 315f 3031 4337 4132 3935 2e33 4538 4341 1_01C7A295.3E8CA
0000250: 3942 430d 0a63 6f6e 7465 6e74 2d63 6c61 9BC..content-cla
0000260: 7373 3a20 7572 6e3a 636f 6e74 656e 742d ss: urn:content-
0000270: 636c 6173 7365 733a 6361 6c65 6e64 6172 classes:calendar
0000280: 6d65 7373 6167 650d 0a43 6f6e 7465 6e74 message..Content
0000290: 2d54 7970 653a 2074 6578 742f 6361 6c65 -Type: text/cale
00002a0: 6e64 6172 3b0d 0a09 6d65 7468 6f64 3d52 ndar;...method=R
00002b0: 4550 4c59 3b0d 0a09 6e61 6d65 3d22 6d65 EPLY;...name="me
00002c0: 6574 696e 672e 6963 7322 0d0a 436f 6e74 eting.ics"..Cont
00002d0: 656e 742d 5472 616e 7366 6572 2d45 6e63 ent-Transfer-Enc
00002e0: 6f64 696e 673a 2038 6269 740d 0a0d 0a42 oding: 8bit....B
00002f0: 4547 494e 3a56 4341 4c45 4e44 4152 0d0a EGIN:VCALENDAR..
0000300: 4d45 5448 4f44 3a52 4550 4c59 0d0a 5052 METHOD:REPLY..PR
0000310: 4f44 4944 3a4d 6963 726f 736f 6674 2043 ODID:Microsoft C
0000320: 444f 2066 6f72 204d 6963 726f 736f 6674 DO for Microsoft
0000330: 2045 7863 6861 6e67 650d 0a56 4552 5349 Exchange..VERSI
0000340: 4f4e 3a32 2e30 0d0a 4245 4749 4e3a 5654 ON:2.0..BEGIN:VT
0000350: 494d 455a 4f4e 450d 0a54 5a49 443a 5361 IMEZONE..TZID:Sa
0000360: 7261 6a65 766f 5c2c 2053 6b6f 706a 655c rajevo\, Skopje\
0000370: 2c20 536f 6669 6a61 5c2c 2056 696c 6e69 , Sofija\, Vilni
0000380: 7573 5c2c 2057 6172 7361 775c 2c20 5a61 us\, Warsaw\, Za
0000390: 6772 6562 0d0a 582d 4d49 4352 4f53 4f46 greb..X-MICROSOF
00003a0: 542d 4344 4f2d 545a 4944 3a32 0d0a 4245 T-CDO-TZID:2..BE
00003b0: 4749 4e3a 5354 414e 4441 5244 0d0a 4454 GIN:STANDARD..DT
00003c0: 5354 4152 543a 3136 3031 3031 3031 5430 START:16010101T0
00003d0: 3330 3030 300d 0a54 5a4f 4646 5345 5446 30000..TZOFFSETF
00003e0: 524f 4d3a 2b30 3230 300d 0a54 5a4f 4646 ROM:+0200..TZOFF
00003f0: 5345 5454 4f3a 2b30 3130 300d 0a52 5255 SETTO:+0100..RRU
0000400: 4c45 3a46 5245 513d 5945 4152 4c59 3b57 LE:FREQ=YEARLY;W
0000410: 4b53 543d 4d4f 3b49 4e54 4552 5641 4c3d KST=MO;INTERVAL=
0000420: 313b 4259 4d4f 4e54 483d 3130 3b42 5944 1;BYMONTH=10;BYD
0000430: 4159 3d2d 3153 550d 0a45 4e44 3a53 5441 AY=-1SU..END:STA
0000440: 4e44 4152 440d 0a42 4547 494e 3a44 4159 NDARD..BEGIN:DAY
0000450: 4c49 4748 540d 0a44 5453 5441 5254 3a31 LIGHT..DTSTART:1
0000460: 3630 3130 3130 3154 3032 3030 3030 0d0a 6010101T020000..
0000470: 545a 4f46 4653 4554 4652 4f4d 3a2b 3031 TZOFFSETFROM:+01
0000480: 3030 0d0a 545a 4f46 4653 4554 544f 3a2b 00..TZOFFSETTO:+
0000490: 3032 3030 0d0a 5252 554c 453a 4652 4551 0200..RRULE:FREQ
00004a0: 3d59 4541 524c 593b 574b 5354 3d4d 4f3b =YEARLY;WKST=MO;
00004b0: 494e 5445 5256 414c 3d31 3b42 594d 4f4e INTERVAL=1;BYMON
00004c0: 5448 3d33 3b42 5944 4159 3d2d 3153 550d TH=3;BYDAY=-1SU.
00004d0: 0a45 4e44 3a44 4159 4c49 4748 540d 0a45 .END:DAYLIGHT..E
00004e0: 4e44 3a56 5449 4d45 5a4f 4e45 0d0a 4245 ND:VTIMEZONE..BE
00004f0: 4749 4e3a 5645 5645 4e54 0d0a 4454 5354 GIN:VEVENT..DTST
0000500: 414d 503a 3230 3037 3035 3330 5430 3832 AMP:20070530T082
0000510: 3230 335a 0d0a 4454 5354 4152 543b 545a 203Z..DTSTART;TZ
0000520: 4944 3d22 5361 7261 6a65 766f 2c20 536b ID="Sarajevo, Sk
0000530: 6f70 6a65 2c20 536f 6669 6a61 2c20 5669 opje, Sofija, Vi
0000540: 6c6e 6975 732c 2057 6172 7361 772c 205a lnius, Warsaw, Z
0000550: 6167 7265 6222 3a32 0d0a agreb":2..
Contact email
petrus@activesec.biz
Some text that clearly explains why you think this is a false positive
case
The rule intercepted traffic between two nodes of MS Exchange of the
organization
--
Federico Petronio
petrus@activesec.biz
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
Federico Petronio
petrus@activesec.biz
------------------------------
Message: 4
Date: Thu, 07 Jun 2007 13:11:53 -0300
From: Federico Petronio <petrus@activesec.biz>
Subject: Re: [Snort-sigs] False positive on rule 10995
To: rmkml <rmkml@free.fr>
Cc: Snort Signatures List <snort-sigs@lists.sourceforge.net>
Message-ID: <46682E49.5060101@activesec.biz>
Content-Type: text/plain; charset=ISO-8859-1
This is the rule:
drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP possible BDAT
DoS attempt"; flow:to_server,established; content:"BDAT"; nocase;
byte_jump:2,1,relative,string,dec; content:!"|0D 0A|"; within:2;
reference:bugtraq,4204; reference:cve,2002-0055;
reference:url,www.microsoft.com/technet/security/bulletin/ms02-012.mspx;
classtype:denial-of-service; sid:10995; rev:1;)
Regards,
rmkml wrote:
Hi Federico,
please send rule sid 10995.
Regards
Rmkml
On Thu, 7 Jun 2007, Federico Petronio wrote:
Date: Thu, 07 Jun 2007 11:30:17 -0300
From: Federico Petronio <petrus@activesec.biz>
To: Snort Signatures List <snort-sigs@lists.sourceforge.net>
Subject: [Snort-sigs] False positive on rule 10995
Hello,
I would like to report this false positive on rule 10995.
Version of Snort
snort_inline 2.3.0
Rule SID and revision
10995. rev 1.
Command line options when starting snort
snort -c snort.conf.inline -Q -A none -q
The operating system being used
Debian Linux 3.1
A supporting packet capture that illustrates the false positive case:
length = 1368
000 : 5A 63 2F 37 62 48 62 48 67 47 70 4E 6E 6A 58 54
Zc/7bHbHgGpNnjXT
010 : 53 72 4D 67 47 59 64 76 37 4E 50 55 46 4E 66 6D
SrMgGYdv7NPUFNfm
020 : 61 52 4C 67 53 67 41 55 42 54 48 38 50 68 66 67
aRLgSgAUBTH8Phfg
030 : 6C 2B 55 46 53 42 2B 67 0D 0A 4E 5A 6A 65 6D 5A
l+UFSB+g..NZjemZ
040 : 51 38 4C 57 67 59 77 41 47 48 69 44 52 4C 4B 41
Q8LWgYwAGHiDRLKA
050 : 70 4D 39 73 51 51 41 44 34 41 52 47 77 6A 61 52
pM9sQQAD4ARGwjaR
060 : 4A 39 56 46 6F 48 30 6D 4A 74 2B 71 45 6F 39 62
J9VFoH0mJt+qEo9b
070 : 55 41 38 59 41 39 42 6F 32 73 76 4D 7A 4D 78 4D
UA8YA9Bo2svMzMxM
080 : 4A 30 44 42 52 73 0D 0A 54 77 41 47 43 55 41 43
J0DBRs..TwAGCUAC
090 : 72 64 5A 37 75 47 33 43 30 42 44 41 54 6C 30 55
rdZ7uG3C0BDATl0U
0a0 : 71 42 37 61 56 35 45 35 41 45 52 71 5A 52 42 2B
qB7aV5E5AERqZRB+
0b0 : 49 71 31 43 6B 6F 45 51 39 4E 45 51 7A 4D 41 51
Iq1CkoEQ9NEQzMAQ
0c0 : 42 53 70 62 69 4A 70 6E 37 73 4C 51 51 41 38 45
BSpbiJpn7sLQQA8E
0d0 : 7A 76 49 4A 0D 0A 51 51 42 45 65 6E 41 50 4B 51
zvIJ..QQBEenAPKQ
0e0 : 51 52 4C 78 51 43 42 49 34 4B 70 6E 65 4A 31 61
QRLxQCBI4KpneJ1a
0f0 : 4B 30 49 51 34 79 63 79 49 35 78 76 46 43 30 42
K0IQ4ycyI5xvFC0B
100 : 53 6F 48 2F 72 42 70 55 59 41 52 43 54 6F 6A 77
SoH/rBpUYARCTojw
110 : 46 2B 35 49 44 79 4A 31 77 54 4C 78 51 42 41 41
F+5IDyJ1wTLxQBAA
120 : 61 45 0D 0A 41 55 34 7A 61 38 58 79 64 41 77 2B
aE..AU4za8XydAw+
130 : 55 41 2F 77 75 79 4D 4A 51 41 69 35 4A 52 73 67
UA/wuyMJQAi5JRsg
140 : 73 51 4A 63 4D 67 52 35 56 4B 67 66 30 4B 46 52
sQJcMgR5VKgf0KFR
150 : 70 68 4A 2F 4A 44 6F 6B 41 51 75 41 43 65 36 61
phJ/JDokAQuACe6a
160 : 79 6E 73 53 64 41 77 70 44 41 6E 68 74 55 51 53
ynsSdAwpDAnhtUQS
170 : 0D 0A 41 7A 67 65 6B 73 4D 45 4C 6D 52 46 5A 68
..AzgeksMELmRFZh
180 : 4A 50 64 36 45 32 66 79 6D 6F 46 54 42 49 41 67
JPd6E2fymoFTBIAg
190 : 4D 44 5A 59 5A 4D 61 32 4B 77 4E 67 51 67 62 61
MDZYZMa2KwNgQgba
1a0 : 64 4D 48 75 36 43 55 7A 62 4F 73 37 65 68 7A 49
dMHu6CUzbOs7ehzI
1b0 : 42 59 70 77 76 33 34 42 78 6E 76 73 4E 61 0D 0A
BYpwv34BxnvsNa..
1c0 : 41 5A 72 37 76 6C 6E 4D 6F 6C 43 7A 41 74 37 55
AZr7vlnMolCzAt7U
1d0 : 36 4C 50 71 52 72 39 42 6E 36 48 4D 67 46 70 78
6LPqRr9Bn6HMgFpx
1e0 : 32 75 64 35 43 67 4A 63 76 76 67 4C 6E 72 34 36
2ud5CgJcvvgLnr46
1f0 : 43 42 63 35 6A 49 43 49 58 67 41 54 5A 79 54 38
CBc5jICIXgATZyT8
200 : 49 64 6A 46 6B 62 62 48 68 6F 74 61 0D 0A 42 47
IdjFkbbHhota..BG
210 : 4F 33 30 50 49 49 35 75 72 4B 59 38 6F 49 72 72
O30PII5urKY8oIrr
220 : 4B 41 75 6A 61 59 38 75 70 4D 2B 76 76 49 57 69
KAujaY8upM+vvIWi
230 : 65 42 4B 34 41 6C 69 42 5A 56 44 64 4B 49 75 67
eBK4AliBZVDdKIug
240 : 59 41 55 57 6B 78 35 51 52 58 57 55 41 6B 35 43
YAUWkx5QRXWUAk5C
250 : 6B 4A 71 30 50 39 53 5A 39 63 0D 0A 4F 7A 77 72
kJq0P9SZ9c..Ozwr
260 : 41 45 54 47 5A 76 4F 42 4A 43 4A 77 45 59 41 6E
AETGZvOBJCJwEYAn
270 : 42 41 54 4E 71 61 45 61 72 58 75 4B 4A 34 42 6F
BATNqaEarXuKJ4Bo
280 : 64 2F 4A 72 48 71 59 58 4C 53 69 42 69 45 35 59
d/JrHqYXLSiBiE5Y
290 : 47 41 41 50 33 4F 41 32 32 58 74 47 73 31 6F 41
GAAP3OA22XtGs1oA
2a0 : 49 6D 76 2B 2F 6F 72 41 0D 0A 73 6F 46 69 4A 72
Imv+/orA..soFiJr
2b0 : 6A 53 73 61 56 71 54 50 72 70 42 42 41 78 41 45
jSsaVqTPrpBBAxAE
2c0 : 48 4E 49 2B 6E 66 67 52 49 34 46 77 41 4E 30 34
HNI+nfgRI4FwAN04
2d0 : 6C 73 57 43 42 58 50 61 30 41 58 4F 78 44 6E 4A
lsWCBXPa0AXOxDnJ
2e0 : 74 64 57 55 43 77 6F 6E 51 55 79 30 4F 50 38 50
tdWUCwonQUy0OP8P
2f0 : 36 53 47 41 6E 50 0D 0A 4B 69 4D 33 45 6A 74 2B
6SGAnP..KiM3Ejt+
300 : 76 37 41 4E 49 73 41 51 41 41 66 53 69 64 4F 30
v7ANIsAQAAfSidO0
310 : 78 69 73 56 72 51 44 77 65 4E 64 32 42 64 78 5A
xisVrQDweNd2BdxZ
320 : 51 4C 4C 76 35 41 63 4F 67 4B 2F 6F 30 67 30 49
QLLv5AcOgK/o0g0I
330 : 43 4B 45 4E 67 6C 67 79 41 41 66 53 63 41 4D 71
CKENglgyAAfScAMq
340 : 67 39 38 68 0D 0A 72 51 43 49 44 61 47 73 61 4A
g98h..rQCIDaGsaJ
350 : 78 5A 51 4C 44 76 4C 67 33 71 34 68 2F 73 30 67
xZQLDvLg3q4h/s0g
360 : 32 56 7A 79 65 64 46 49 49 69 35 4B 45 41 42 6A
2VzyedFIIi5KEABj
370 : 70 73 6F 79 2B 4C 45 61 30 41 4B 75 53 34 32 50
psoy+LEa0AKuS42P
380 : 73 62 57 6B 43 77 4F 30 36 6F 56 48 6F 33 34 43
sbWkCwO06oVHo34C
390 : 57 63 0D 0A 46 41 51 39 68 5A 55 33 41 45 54 65
Wc..FAQ9hZU3AETe
3a0 : 62 6B 75 43 70 4D 53 68 41 42 50 66 63 42 33 78
bkuCpMShABPfcB3x
3b0 : 78 76 59 4C 57 67 56 42 6A 33 77 61 67 35 46 74
xvYLWgVBj3wag5Ft
3c0 : 53 42 47 4B 62 42 69 30 67 4F 74 53 42 47 4C 6F
SBGKbBi0gOtSBGLo
3d0 : 59 43 63 38 71 6C 51 50 37 5A 46 31 72 55 36 43
YCc8qlQP7ZF1rU6C
3e0 : 0D 0A 69 47 63 47 5A 75 54 38 49 64 76 77 79 63
..iGcGZuT8Idvwyc
3f0 : 6F 57 5A 41 34 48 6A 6A 79 4C 4B 36 4B 74 78 43
oWZA4HjjyLK6KtxC
400 : 55 35 74 45 51 4F 41 32 70 55 44 2B 52 50 32 36
U5tEQOA2pUD+RP26
410 : 71 42 67 79 55 6F 6C 42 77 43 32 48 4A 43 6F 59
qBgyUolBwC2HJCoY
420 : 5A 6B 44 41 41 46 6A 32 33 6F 63 59 47 73 0D 0A
ZkDAAFj23ocYGs..
430 : 50 6A 72 6D 2F 42 71 30 67 4E 73 50 6A 72 6E 71
Pjrm/Bq0gNsPjrnq
440 : 56 41 2F 6E 44 39 47 70 4E 49 4D 69 54 45 38 43
VA/nD9GpNIMiTE8C
450 : 61 62 72 49 6E 66 74 49 51 51 30 59 77 74 70 44
abrInftIQQ0YwtpD
460 : 67 31 74 61 51 4C 50 38 69 67 42 4F 62 47 50 59
g1taQLP8igBObGPY
470 : 69 6A 51 2F 33 42 41 42 57 41 67 41 0D 0A 43 34
ijQ/3BABWAgA..C4
480 : 4F 6C 64 43 48 53 73 4B 48 75 4D 36 64 42 72 51
OldCHSsKHuM6dBrQ
490 : 42 59 47 49 52 56 4D 5A 6C 61 51 4C 46 6C 7A 56
BYGIRVMZlaQLFlzV
4a0 : 52 45 59 70 50 4D 6E 41 73 44 35 78 46 48 41 45
REYpPMnAsD5xFHAE
4b0 : 42 44 49 36 55 69 67 79 49 6F 4D 41 41 4F 6C 64
BDI6UigyIoMAAOld
4c0 : 59 74 76 33 6B 77 56 73 51 46 0D 0A 59 37 4F 6F
Ytv3kwVsQF..Y7Oo
4d0 : 47 50 68 56 6C 41 74 30 52 67 71 74 74 48 44 5A
GPhVlAt0RgqttHDZ
4e0 : 58 4D 74 4F 46 4C 42 34 44 38 41 6A 57 52 51 77
XMtOFLB4D8AjWRQw
4f0 : 6A 41 45 4E 4F 67 2F 51 52 77 50 54 45 6C 51 4A
jAENOg/QRwPTElQJ
500 : 53 48 54 6C 52 59 64 64 66 79 64 38 45 67 41 69
SHTlRYddfyd8EgAi
510 : 68 53 56 32 49 64 47 61 0D 0A 62 66 71 68 4B 6C
hSV2IdGa..bfqhKl
520 : 57 78 41 4D 71 72 43 37 62 2B 4C 31 74 41 67 50
WxAMqrC7b+L1tAgP
530 : 75 51 74 73 6F 79 67 6A 51 4D 34 75 61 55 35 63
uQtsoygjQM4uaU5c
540 : 6A 4D 45 45 41 30 69 45 7A 66 33 7A 5A 45 6B 42
jMEEA0iEzf3zZEkB
550 : 53 5A 38 6F 42 32 66 53 SZ8oB2fS
Contact email
petrus@activesec.biz
Some text that clearly explains why you think this is a false positive
case
The rule intercepted trusted traffic between two Windows servers of
the organization
--
Federico Petronio
petrus@activesec.biz
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
Federico Petronio
petrus@activesec.biz
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
End of Snort-sigs Digest, Vol 13, Issue 4
*****************************************
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
