Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] False positive

from [Matt Kettler] Network Security [Permanent Link]
Subject: Re: [Snort-users] False positive
Date: Mon, 18 Jul 2005 16:43:04 -0400
Angelita de Cássia Corrêa wrote: 
Can I consider some false positives or really attempts in the alerts below?

(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING

> attempted-recon: (http_inspect) DOUBLE DECODING ATTACK

If you see these going to YOUR webserver, probably, unless you use very odd URIs that aren't supported by all servers.

If it's coming from your clients going to outside servers, it is probably not an attack. You can't really expect to know what URIs outside sites use intentionally in their own URLs. Some use really long URIs, encoded URI, etc.

You should consider setting up http_inspect to only watch traffic to your servers, and set it's limits to match what your server can handle. See snort.conf and doc/README.http_inspect.

> non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING

That seems odd, but I don't know much about it. Could be cause by a nonstandard service being used over port 80. (check to see if the IP of yours is running something like accessmypc, or other oddball tunnels over port 80.)

(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths

Very strange, but likely to be random corrupted garbage packets. See if it correlates with other probes or activity from the same IP. Check your serverlogs, etc.


misc-activity: ICMP PING CyberKit 2.2 Windows

No, that's an informational rule. Someone used cyberkit to perform a ping sort saw. That's slightly suspicious as it's an oddball tool, but it is not an attack. It *could* be recon, so keep an eye on that IP for attacks.

> attempted-dos: ICMP PATH MTU denial of service

That's either a broken router, or someone trying to DoS you by closing up the path MTU to something tiny.



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] Old unified log files, Kolanovic, Tomislav/Human Resources
Next by Date:  RE: [Snort-users] False positive, Briggs, Bruce
Previous by Thread:  Re: [Snort-users] False positive, Angelita de Cássia Corrêa
Next by Thread:  [Snort-users] SYN Proxy, Xavier Cabrera
Indexes:  [Date] [Thread] [Top] [All Lists]