Network Security: Detailed info on Re: [Snort-sigs] False positive on rule 10995

Subject:	Re: [Snort-sigs] False positive on rule 10995
Date:	Fri, 08 Jun 2007 12:04:35 -0300

I will Alex, thank you!

BTW, this rev:3 of the rule, will be included in the official rules package?

Best regards,

Alex Kirk wrote:

Federico,

Since BDAT is an SMTP command, it should always appear at the start of a
line. Thus, adding a quick bit of PCRE to enforce this will eliminate
your FPs. Try:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP possible BDAT
DoS attempt"; flow:to_server,established; content:"BDAT"; nocase;
pcre:"/^BDAT/smi"; byte_jump:2,1,relative,string,dec; content:!"|0D
0A|"; within:2; metadata:service smtp; reference:bugtraq,4204;
reference:cve,2002-0055;
reference:url,www.microsoft.com/technet/security/bulletin/ms02-012.mspx;
classtype:denial-of-service; sid:10995; rev:3;)

Alex Kirk
Research Analyst
Sourcefire, Inc.

Hello,

I would like to report this false positive on rule 10995.

  Version of Snort
    snort_inline 2.3.0

  Rule SID and revision
    10995. rev 1.

  Command line options when starting snort
    snort -c snort.conf.inline -Q -A none -q

  The operating system being used
    Debian Linux 3.1

  A supporting packet capture that illustrates the false positive case:

length = 1368
000 : 5A 63 2F 37 62 48 62 48 67 47 70 4E 6E 6A 58 54   Zc/7bHbHgGpNnjXT
010 : 53 72 4D 67 47 59 64 76 37 4E 50 55 46 4E 66 6D   SrMgGYdv7NPUFNfm
020 : 61 52 4C 67 53 67 41 55 42 54 48 38 50 68 66 67   aRLgSgAUBTH8Phfg
030 : 6C 2B 55 46 53 42 2B 67 0D 0A 4E 5A 6A 65 6D 5A   l+UFSB+g..NZjemZ
040 : 51 38 4C 57 67 59 77 41 47 48 69 44 52 4C 4B 41   Q8LWgYwAGHiDRLKA
050 : 70 4D 39 73 51 51 41 44 34 41 52 47 77 6A 61 52   pM9sQQAD4ARGwjaR
060 : 4A 39 56 46 6F 48 30 6D 4A 74 2B 71 45 6F 39 62   J9VFoH0mJt+qEo9b
070 : 55 41 38 59 41 39 42 6F 32 73 76 4D 7A 4D 78 4D   UA8YA9Bo2svMzMxM
080 : 4A 30 44 42 52 73 0D 0A 54 77 41 47 43 55 41 43   J0DBRs..TwAGCUAC
090 : 72 64 5A 37 75 47 33 43 30 42 44 41 54 6C 30 55   rdZ7uG3C0BDATl0U
0a0 : 71 42 37 61 56 35 45 35 41 45 52 71 5A 52 42 2B   qB7aV5E5AERqZRB+
0b0 : 49 71 31 43 6B 6F 45 51 39 4E 45 51 7A 4D 41 51   Iq1CkoEQ9NEQzMAQ
0c0 : 42 53 70 62 69 4A 70 6E 37 73 4C 51 51 41 38 45   BSpbiJpn7sLQQA8E
0d0 : 7A 76 49 4A 0D 0A 51 51 42 45 65 6E 41 50 4B 51   zvIJ..QQBEenAPKQ
0e0 : 51 52 4C 78 51 43 42 49 34 4B 70 6E 65 4A 31 61   QRLxQCBI4KpneJ1a
0f0 : 4B 30 49 51 34 79 63 79 49 35 78 76 46 43 30 42   K0IQ4ycyI5xvFC0B
100 : 53 6F 48 2F 72 42 70 55 59 41 52 43 54 6F 6A 77   SoH/rBpUYARCTojw
110 : 46 2B 35 49 44 79 4A 31 77 54 4C 78 51 42 41 41   F+5IDyJ1wTLxQBAA
120 : 61 45 0D 0A 41 55 34 7A 61 38 58 79 64 41 77 2B   aE..AU4za8XydAw+
130 : 55 41 2F 77 75 79 4D 4A 51 41 69 35 4A 52 73 67   UA/wuyMJQAi5JRsg
140 : 73 51 4A 63 4D 67 52 35 56 4B 67 66 30 4B 46 52   sQJcMgR5VKgf0KFR
150 : 70 68 4A 2F 4A 44 6F 6B 41 51 75 41 43 65 36 61   phJ/JDokAQuACe6a
160 : 79 6E 73 53 64 41 77 70 44 41 6E 68 74 55 51 53   ynsSdAwpDAnhtUQS
170 : 0D 0A 41 7A 67 65 6B 73 4D 45 4C 6D 52 46 5A 68   ..AzgeksMELmRFZh
180 : 4A 50 64 36 45 32 66 79 6D 6F 46 54 42 49 41 67   JPd6E2fymoFTBIAg
190 : 4D 44 5A 59 5A 4D 61 32 4B 77 4E 67 51 67 62 61   MDZYZMa2KwNgQgba
1a0 : 64 4D 48 75 36 43 55 7A 62 4F 73 37 65 68 7A 49   dMHu6CUzbOs7ehzI
1b0 : 42 59 70 77 76 33 34 42 78 6E 76 73 4E 61 0D 0A   BYpwv34BxnvsNa..
1c0 : 41 5A 72 37 76 6C 6E 4D 6F 6C 43 7A 41 74 37 55   AZr7vlnMolCzAt7U
1d0 : 36 4C 50 71 52 72 39 42 6E 36 48 4D 67 46 70 78   6LPqRr9Bn6HMgFpx
1e0 : 32 75 64 35 43 67 4A 63 76 76 67 4C 6E 72 34 36   2ud5CgJcvvgLnr46
1f0 : 43 42 63 35 6A 49 43 49 58 67 41 54 5A 79 54 38   CBc5jICIXgATZyT8
200 : 49 64 6A 46 6B 62 62 48 68 6F 74 61 0D 0A 42 47   IdjFkbbHhota..BG
210 : 4F 33 30 50 49 49 35 75 72 4B 59 38 6F 49 72 72   O30PII5urKY8oIrr
220 : 4B 41 75 6A 61 59 38 75 70 4D 2B 76 76 49 57 69   KAujaY8upM+vvIWi
230 : 65 42 4B 34 41 6C 69 42 5A 56 44 64 4B 49 75 67   eBK4AliBZVDdKIug
240 : 59 41 55 57 6B 78 35 51 52 58 57 55 41 6B 35 43   YAUWkx5QRXWUAk5C
250 : 6B 4A 71 30 50 39 53 5A 39 63 0D 0A 4F 7A 77 72   kJq0P9SZ9c..Ozwr
260 : 41 45 54 47 5A 76 4F 42 4A 43 4A 77 45 59 41 6E   AETGZvOBJCJwEYAn
270 : 42 41 54 4E 71 61 45 61 72 58 75 4B 4A 34 42 6F   BATNqaEarXuKJ4Bo
280 : 64 2F 4A 72 48 71 59 58 4C 53 69 42 69 45 35 59   d/JrHqYXLSiBiE5Y
290 : 47 41 41 50 33 4F 41 32 32 58 74 47 73 31 6F 41   GAAP3OA22XtGs1oA
2a0 : 49 6D 76 2B 2F 6F 72 41 0D 0A 73 6F 46 69 4A 72   Imv+/orA..soFiJr
2b0 : 6A 53 73 61 56 71 54 50 72 70 42 42 41 78 41 45   jSsaVqTPrpBBAxAE
2c0 : 48 4E 49 2B 6E 66 67 52 49 34 46 77 41 4E 30 34   HNI+nfgRI4FwAN04
2d0 : 6C 73 57 43 42 58 50 61 30 41 58 4F 78 44 6E 4A   lsWCBXPa0AXOxDnJ
2e0 : 74 64 57 55 43 77 6F 6E 51 55 79 30 4F 50 38 50   tdWUCwonQUy0OP8P
2f0 : 36 53 47 41 6E 50 0D 0A 4B 69 4D 33 45 6A 74 2B   6SGAnP..KiM3Ejt+
300 : 76 37 41 4E 49 73 41 51 41 41 66 53 69 64 4F 30   v7ANIsAQAAfSidO0
310 : 78 69 73 56 72 51 44 77 65 4E 64 32 42 64 78 5A   xisVrQDweNd2BdxZ
320 : 51 4C 4C 76 35 41 63 4F 67 4B 2F 6F 30 67 30 49   QLLv5AcOgK/o0g0I
330 : 43 4B 45 4E 67 6C 67 79 41 41 66 53 63 41 4D 71   CKENglgyAAfScAMq
340 : 67 39 38 68 0D 0A 72 51 43 49 44 61 47 73 61 4A   g98h..rQCIDaGsaJ
350 : 78 5A 51 4C 44 76 4C 67 33 71 34 68 2F 73 30 67   xZQLDvLg3q4h/s0g
360 : 32 56 7A 79 65 64 46 49 49 69 35 4B 45 41 42 6A   2VzyedFIIi5KEABj
370 : 70 73 6F 79 2B 4C 45 61 30 41 4B 75 53 34 32 50   psoy+LEa0AKuS42P
380 : 73 62 57 6B 43 77 4F 30 36 6F 56 48 6F 33 34 43   sbWkCwO06oVHo34C
390 : 57 63 0D 0A 46 41 51 39 68 5A 55 33 41 45 54 65   Wc..FAQ9hZU3AETe
3a0 : 62 6B 75 43 70 4D 53 68 41 42 50 66 63 42 33 78   bkuCpMShABPfcB3x
3b0 : 78 76 59 4C 57 67 56 42 6A 33 77 61 67 35 46 74   xvYLWgVBj3wag5Ft
3c0 : 53 42 47 4B 62 42 69 30 67 4F 74 53 42 47 4C 6F   SBGKbBi0gOtSBGLo
3d0 : 59 43 63 38 71 6C 51 50 37 5A 46 31 72 55 36 43   YCc8qlQP7ZF1rU6C
3e0 : 0D 0A 69 47 63 47 5A 75 54 38 49 64 76 77 79 63   ..iGcGZuT8Idvwyc
3f0 : 6F 57 5A 41 34 48 6A 6A 79 4C 4B 36 4B 74 78 43   oWZA4HjjyLK6KtxC
400 : 55 35 74 45 51 4F 41 32 70 55 44 2B 52 50 32 36   U5tEQOA2pUD+RP26
410 : 71 42 67 79 55 6F 6C 42 77 43 32 48 4A 43 6F 59   qBgyUolBwC2HJCoY
420 : 5A 6B 44 41 41 46 6A 32 33 6F 63 59 47 73 0D 0A   ZkDAAFj23ocYGs..
430 : 50 6A 72 6D 2F 42 71 30 67 4E 73 50 6A 72 6E 71   Pjrm/Bq0gNsPjrnq
440 : 56 41 2F 6E 44 39 47 70 4E 49 4D 69 54 45 38 43   VA/nD9GpNIMiTE8C
450 : 61 62 72 49 6E 66 74 49 51 51 30 59 77 74 70 44   abrInftIQQ0YwtpD
460 : 67 31 74 61 51 4C 50 38 69 67 42 4F 62 47 50 59   g1taQLP8igBObGPY
470 : 69 6A 51 2F 33 42 41 42 57 41 67 41 0D 0A 43 34   ijQ/3BABWAgA..C4
480 : 4F 6C 64 43 48 53 73 4B 48 75 4D 36 64 42 72 51   OldCHSsKHuM6dBrQ
490 : 42 59 47 49 52 56 4D 5A 6C 61 51 4C 46 6C 7A 56   BYGIRVMZlaQLFlzV
4a0 : 52 45 59 70 50 4D 6E 41 73 44 35 78 46 48 41 45   REYpPMnAsD5xFHAE
4b0 : 42 44 49 36 55 69 67 79 49 6F 4D 41 41 4F 6C 64   BDI6UigyIoMAAOld
4c0 : 59 74 76 33 6B 77 56 73 51 46 0D 0A 59 37 4F 6F   Ytv3kwVsQF..Y7Oo
4d0 : 47 50 68 56 6C 41 74 30 52 67 71 74 74 48 44 5A   GPhVlAt0RgqttHDZ
4e0 : 58 4D 74 4F 46 4C 42 34 44 38 41 6A 57 52 51 77   XMtOFLB4D8AjWRQw
4f0 : 6A 41 45 4E 4F 67 2F 51 52 77 50 54 45 6C 51 4A   jAENOg/QRwPTElQJ
500 : 53 48 54 6C 52 59 64 64 66 79 64 38 45 67 41 69   SHTlRYddfyd8EgAi
510 : 68 53 56 32 49 64 47 61 0D 0A 62 66 71 68 4B 6C   hSV2IdGa..bfqhKl
520 : 57 78 41 4D 71 72 43 37 62 2B 4C 31 74 41 67 50   WxAMqrC7b+L1tAgP
530 : 75 51 74 73 6F 79 67 6A 51 4D 34 75 61 55 35 63   uQtsoygjQM4uaU5c
540 : 6A 4D 45 45 41 30 69 45 7A 66 33 7A 5A 45 6B 42   jMEEA0iEzf3zZEkB
550 : 53 5A 38 6F 42 32 66 53                           SZ8oB2fS

  Contact email
    petrus@activesec.biz

  Some text that clearly explains why you think this is a false positive
case
    The rule intercepted trusted traffic between two Windows servers of
the organization


-- 
                                        Federico Petronio
                                        petrus@activesec.biz

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False positive on rule 10995, Federico Petronio Message not available Re: [Snort-sigs] False positive on rule 10995, Federico Petronio Re: [Snort-sigs] False positive on rule 10995, Alex Kirk Re: [Snort-sigs] False positive on rule 10995, Federico Petronio <=

Previous by Date:	Re: [Snort-sigs] unsubscribe, M. Shirk
Next by Date:	[Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:	Re: [Snort-sigs] False positive on rule 10995, Alex Kirk
Next by Thread:	[Snort-sigs] unsubscribe, Rowland, Krisa W ERDC-ITL-MS
Indexes:	[Date] [Thread] [Top] [All Lists]