Re: false positive FYI

[Daniel Schreiber <scrober () outlook de>]

Hello Mr.Lewis,

I have the Paket capture know but i thing it is some thing like an Man-in-the-Middle. There is a lot of retransmisson 
caused by changing the checksum.
I´m not that good with paketcaptureing at all so i don´t know how to white all my data out.

Greeting

________________________________
Von: Daniel Schreiber <scrober () outlook de>
Gesendet: Donnerstag, 4. Januar 2018 14:50
An: Al Lewis (allewi)
Betreff: AW: AW: [Snort-sigs] false positive FYI

Hello,

so i have managed to capture the snort log maybe it will help you a little bit i have also the Paket capture but im 
trying to sort it a little bit out for you.

Greetings
________________________________
Von: Daniel Schreiber <scrober () outlook de>
Gesendet: Mittwoch, 3. Januar 2018 14:34
An: Al Lewis (allewi)
Betreff: AW: AW: [Snort-sigs] false positive FYI

Oh okay, so i will do some testing and do the normal things that causes this alert maybe i can capture one of the 
malicious Paket.

Greetings
________________________________
Von: Al Lewis (allewi) <allewi () cisco com>
Gesendet: Mittwoch, 3. Januar 2018 14:23
An: Daniel Schreiber
Betreff: Re: AW: [Snort-sigs] false positive FYI

Hello,

Yes.. I was looking for a sample of the traffic. You wont be able to tell if this is a false positive without examining 
the traffic and/or some of the code (its a preprocessing rule).




Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi () cisco com<mailto:allewi () cisco com>

From: Daniel Schreiber <scrober () outlook de<mailto:scrober () outlook de>>
Date: Wednesday, January 3, 2018 at 8:18 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Subject: AW: [Snort-sigs] false positive FYI

Hello,
Sorry for my late reply do you mean a paket capture or what else?

  I can tell you the remote IP adresses an because if i run a capture there is no blocking by snort not even an alert.

Again Sorry for my late reply.


________________________________
Von: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Gesendet: Donnerstag, 7. Dezember 2017 20:59
An: Daniel Schreiber; snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>
Betreff: Re: [Snort-sigs] false positive FYI

Hello,

Can you send a sample of the traffic?

Thanks.


Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of 
Daniel Schreiber <scrober () outlook de<mailto:scrober () outlook de>>
Date: Thursday, December 7, 2017 at 2:45 PM
To: "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] false positive FYI

Hello,

these Rule here:
119:33 (http_inspect) UNESCAPED SPACE IN HTTP URI

Cause some false positve on my setup.

it blocks Apple Facetime server IPs and steam akamaitechnologies IPs that seems to reffer to the Steam Network.

Greetings



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!