[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer
From: Alex Kirk <alex.kirk () sourcefire ! com>
Date: 2004-11-15 13:51:12
Message-ID: 4198B450.7000501 () sourcefire ! com
[Download RAW message or body]
Hugo van der Kooij wrote:
> On Fri, 12 Nov 2004, Alex Kirk wrote:
>
>
>
> > Hugo van der Kooij wrote:
> >
> >
> >
> > > On Fri, 12 Nov 2004, Chich Thierry wrote:
> > >
> > >
> > >
> > > > Russell Fulton wrote:
> > > >
> > > >
> > > >
> > > > > GEN:SID 1:2586
> > > > > Message P2P eDonkey transfer
> > > > >
> > > > > Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (msg:"P2P eDonkey
> > > > > transfer"; flow:established; content:"|E3|"; depth:1;
> > > > > reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; \
> > > > > classtype:policy-violation; sid:2586; rev:1;)
> > > > >
> > > I think that the any definition should be a range for high ports
> > > (1024-65535). This would prevent most false positives with normal
> > > applications.
> > >
> > >
> > >
> > Actually, Hugo, specifying this sort of a high port range is likely to
> > generate *more* false positives.
> >
> >
>
> I fail to see why
> Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (....
> would have less false positives compared to
> Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET 1024:65535 (....
>
> To me it would seem I would at least not be bothered by my traffic coming
> from port 4242 going to a remote webserver or imaps server or ....
> (anything below port 1024).
>
> Hugo.
>
>
>
Actually, it would be because I mis-read your mail, and thought that you
were proposing 1024:65535 on both sides, a la $HOME_NET 1024:65535 <>
$EXTERNAL_NET 1024:65535. You were correct, I just misinterpreted what
you were saying there.
Alex Kirk
Research Analyst
Sourcefire, Inc.
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic