Snort mailing list archives

Previous By Date Next
Previous By Thread Next

little help with false positives?

From: Henri Reinikainen <henri () reinikainen in>
Date: Fri, 20 Jul 2012 08:32:03 +0300
Hi

Does someone has time to educate me? Because I don't get it.

spamd-setup is running in cron hourly. Fetching spammer ip lists from 
www.openbsd.org via http. Every time this fetch happens there's some 
alerts triggered.

# spamd-setup -d -b
Getting http://www.openbsd.org/spamd/traplist.gz
blacklist uatraps 51709 entries
Getting http://www.openbsd.org/spamd/nixspam.gz
blacklist nixspam 40000 entries

sensitive_data: sensitive data global threshold exceeded
sensitive_data: sensitive data - eMail addresses
http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I've checked connection with telnet and content of those lists. There 
is nothing even remotely like e-mail addresses (well one). Other problem 
with this is, that those list are downloaded to server, not uploaded. If 
I understand correctly this rule should only be working in one 
direction.
If I download these lists and decompress them by hand, there is no 
decompression errors.

ipvar HOME_NET [xxx.xxx.xxx.xxx/32]
ipvar EXTERNAL_NET !$HOME_NET

alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] 
(msg:"SENSITIVE-      DATA Email Addresses"; metadata:service http, 
service smtp, service ftp-data      , service imap, service pop3; 
sd_pattern:20,email; classtype:sdf; sid:5; gid      :138; rev:1;)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: