Snort mailing list archives

Previous By Date Next
Previous By Thread Next

sid:663; rev:6 false alerts/bug

From: Michael Sierchio <kudzu () tenebras com>
Date: Thu, 16 Oct 2003 13:40:37 -0700

I've disabled this as an 'alert' and relegated it to 'log'
because of numerous, obvious false positives.  Here's an
example:

[**] SMTP rcpt to sed command attempt [**]
10/15-07:38:47.438451 212.72.193.60:54751 -> 66.92.188.18:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:4052
***AP*** Seq: 0x288F03C  Ack: 0xD444DB4A  Win: 0xD2F0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

while this raw packet is clearly inoffensive

0000  00 02 3b 01 ee 0a 00 00  24 c0 7e 18 08 00 45 00   ..;..... $.~...E.
0010  00 34 a6 2d 40 00 3f 06  01 a3 42 5c bc 12 d4 48   .4.-@.?. ..B\...H
0020  c1 3c 00 19 d5 df 02 88  f0 3c d4 44 db 4a 80 10   .<...... .<.D.J..
0030  d2 f0 bd 03 00 00 01 01  08 0a 2f 8b 8a c4 03 47   ........ ../....G
0040  1c f1

going back to the previous RCPT TO: in the conversation, I also see
nothing noteworthy

0000  00 00 24 c0 7e 18 00 02  3b 01 ee 0a 08 00 45 00   ..$.~... ;.....E.
0010  00 52 d8 44 40 00 30 06  de 6d d4 48 c1 3c 42 5c   .R.D@.0. .m.H.<B\
0020  bc 12 d5 df 00 19 d4 44  cb d6 02 88 f0 26 80 18   .......D .....&..
0030  16 d0 1b 05 00 00 01 01  08 0a 03 47 15 8f 2f 8a   ........ ...G../.
0040  f2 b2 52 43 50 54 20 54  4f 3a 3c 6b 75 64 7a 75   ..RCPT T O:<kudzu
0050  40 74 65 6e 65 62 72 61  73 2e 63 6f 6d 3e 0d 0a   @tenebra s.com>..

Comments considered in descending order of cogency ;-)

Cheers,

kudzu

--

"Well," Brahma said, "even after ten thousand explanations, a fool is no
 wiser, but an intelligent man requires only two thousand five hundred."
                - The Mahabharata



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: