'Re: [Bleeding-sigs] False Positive on Rule 2003020 (BLEEDING-EDGE'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    Re: [Bleeding-sigs]  False Positive on Rule 2003020 (BLEEDING-EDGE
From:       Eric Hines <eric.hines () appliedwatch ! com>
Date:       2006-07-18 11:24:26
Message-ID: 44BCC4EA.7050308 () appliedwatch ! com
[Download RAW message or body]

I guess it depends, its a bit of a relative question.. For example, (5) 
of our customers are Compaq environments and use it, but thats just us, 
I don't know about the community out there as a whole, it is very noisy 
because of the amount of compaq-https traffic that is generated. But 
then again, I don't know, maybe its just us?

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

--------------------------------------------------

Email:   eric.hines@appliedwatch.com
Address: 1095 Pingree Road
          Suite 213
          Crystal Lake, IL
          60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

--------------------------------------------------
Security Management for the Open Source Enterprise

Matt Jonkman wrote:
> We need an exclusion for that port. How common is that in use? I know
> the agent is there on most compaq's (it's always a nice thing for us
> during pen tests). But are enough people using it to justify an
> exclusion sig?
> 
> Matt
> 
> Eric Hines wrote:
>> All,
>>
>> This signature is firing a lot of FPs caused from COMPAQ-HTTPS which
>> always uses a SRC PORT of 2381.
>>
>> I know their are no documentation pages similar to snort.org for all of
>> our bleeding signatures, but until we do, have we thought about a
>> mechanism that allows us to submit and track known FPs for rules such as
>> this?
>>
>> E.g. you can submit a False Positive report to Sourcefire on the
>> snort.org rules and its displayed under Known False Positives.
>>
>>
>> RULE
>> *****
>> alert tcp any any -> any 1024:65535 (msg:"BLEEDING-EDGE POLICY TLS/SSL
>> Encrypted Application Data on Unusual Port";
>> flowbits:isset,BS.SSL.Established; flow:established,from_server;
>> content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds
>> 120, track by_src; classtype:unusual-client-port-connection;
>> sid:2003020; rev:5;)
>>
>>
>>
>> ------------- snip -------------------
>>
>> APPLIED WATCH COMMAND CENTER EVENT INFORMATION:
>> Alert ID: 1964071
>> Priority: 2
>> Timestamp: Sat Jul 15 17:24:18 CDT 2006
>> Signature ID : 2003020
>> Message: BLEEDING-EDGE POLICY TLS/SSL Encrypted Application Data on
>> Unusual Port
>>
>> IP HEADER INFORMATION:
>> Ver: 4
>> Length: 325
>> Flags: 4
>> Checksum: 50349
>> Hlen: 5
>> ID: 40809
>> TTL: 122
>> Source IP: 172.29.66.26
>> TOS: 0
>> Offset: 0
>> Proto: 6
>> Dest IP: 172.29.1.71
>>
>> TCP PROTOCOL INFORMATION:
>> Source Port: 2381
>> Dest Port: 1811
>> Seq #: 3192632106
>> Ack: 1689935534
>> Offset: 5
>> Flags: * * * A P * * *
>> Window: 16989
>> Checksum: 46135
>> URP: 0
>>
>> PAYLOAD INFORMATION:
>> 4500 0145 9f69 4000 7a06 c4ad ac1d 421a ac1d    E..E.i@.z.....B...
>> 0147 094d 0713 be4b b32a 64ba 5eae 5018 425d    .G.M...K.*d.^.P.B]
>> b437 0000 1703 0101 1827 07be b8ff e8bb 99a4    .7.......'........
>> 141a 53dc fca1 938a fec8 2ca1 2fc3 19c8 8425    ..S.......,./....%
>> 5dcc 8119 8381 b15d 1989 febe 6d5f 26c3 87dd    ]......]....m_&...
>> 93ea 4aee 11ef 2d53 f738 f19f be74 e316 da46    ..J...-S.8...t...F
>> 3439 f8ab 1c39 126c 3e8a aafc 2b7d 27d9 93cb    49...9.l>...+}'...
>> d6d0 b7c3 a5db 8743 09d5 f452 d0c9 797d 8583    .......C...R..y}..
>> 7841 a51c 4494 ede0 3f84 b893 a550 005e 0fef    xA..D...?....P.^..
>> 8a3e abe9 fd08 3b04 1d05 b256 3e06 757a ea3f    .>....;....V>.uz.?
>> 2266 c1d3 d1c5 53f3 eec8 a302 8081 25ae 3ea5    "f....S.......%.>.
>> 8637 a254 3252 bddc c36d fbf5 597a b956 77b1    .7.T2R...m..Yz.Vw.
>> 58f0 5c90 0370 8527 586a 6e1b 6401 6d50 37b5    X.\..p.'Xjn.d.mP7.
>> b887 c009 e0fc a034 78f2 2db1 b663 2f16 9d8e    .......4x.-..c/...
>> 834c 109b 9851 9b95 96d9 85d7 4a13 9d2e 5c8d    .L...Q......J...\.
>> 81be e6a1 d6e3 0779 fe91 1a04 d9a9 1119 276b    .......y........'k
>> 34fa 9997 97f4 7c48 c771 48c9 b1a6 afeb c0d9    4.....|H.qH.......
>> d62b 475a b412 6390 5bd9 2eee d442 64de 0b8e    .+GZ..c.[....Bd...
>> 51                                                      Q
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs@bleedingsnort.com
>> http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
> 

["eric.hines.vcf" (text/x-vcard)]

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs

[prev in list] [next in list] [prev in thread] [next in thread] 