I only started seeing ICMP PATH MTU denial of service after the bad April
version of MS MS05-019.
An updated version can out in June.
I expect these to largely disappear once everyone updates to the new version.
Bruce
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Monday, July 18, 2005 4:43 PM
To: Angelita de Cássia Corrêa
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] False positive
Angelita de Cássia Corrêa wrote:
Can I consider some false positives or really attempts in the alerts below?
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING
attempted-recon: (http_inspect) DOUBLE DECODING ATTACK
If you see these going to YOUR webserver, probably, unless you use very odd
URIs that aren't supported by all servers.
If it's coming from your clients going to outside servers, it is probably not
an attack. You can't really expect to know what URIs outside sites use
intentionally in their own URLs. Some use really long URIs, encoded URI, etc.
You should consider setting up http_inspect to only watch traffic to your
servers, and set it's limits to match what your server can handle. See
snort.conf and doc/README.http_inspect.
non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING
That seems odd, but I don't know much about it. Could be cause by a nonstandard
service being used over port 80. (check to see if the IP of yours is running
something like accessmypc, or other oddball tunnels over port 80.)
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
Very strange, but likely to be random corrupted garbage packets. See if it
correlates with other probes or activity from the same IP. Check your
serverlogs, etc.
misc-activity: ICMP PING CyberKit 2.2 Windows
No, that's an informational rule. Someone used cyberkit to perform a ping sort
saw. That's slightly suspicious as it's an oddball tool, but it is not an
attack. It *could* be recon, so keep an eye on that IP for attacks.
attempted-dos: ICMP PATH MTU denial of service
That's either a broken router, or someone trying to DoS you by closing up the
path MTU to something tiny.
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&op=ick
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
