'Re: [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] False +ves on 2586 -- P2P eDonkey transfer
From:       Alex Kirk <alex.kirk () sourcefire ! com>
Date:       2004-11-15 13:51:12
Message-ID: 4198B450.7000501 () sourcefire ! com
[Download RAW message or body]

Hugo van der Kooij wrote:

> On Fri, 12 Nov 2004, Alex Kirk wrote:
> 
> 
> 
> > Hugo van der Kooij wrote:
> > 
> > 
> > 
> > > On Fri, 12 Nov 2004, Chich Thierry wrote:
> > > 
> > > 
> > > 
> > > > Russell Fulton wrote:
> > > > 
> > > > 
> > > > 
> > > > > GEN:SID   1:2586
> > > > > Message  P2P eDonkey transfer
> > > > > 
> > > > > Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (msg:"P2P eDonkey
> > > > > transfer"; flow:established; content:"|E3|"; depth:1;
> > > > > reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; \
> > > > > classtype:policy-violation; sid:2586; rev:1;) 
> > > > > 
> > > I think that the any definition should be a range for high ports
> > > (1024-65535). This would prevent most false positives with normal
> > > applications.
> > > 
> > > 
> > > 
> > Actually, Hugo, specifying this sort of a high port range is likely to
> > generate *more* false positives.
> > 
> > 
> 
> I fail to see why
> 	Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET any (....
> would have less false positives compared to
> 	Rule alert tcp $HOME_NET 4242 <> $EXTERNAL_NET 1024:65535 (....
> 
> To me it would seem I would at least not be bothered by my traffic coming
> from port 4242 going to a remote webserver or imaps server or ....
> (anything below port 1024).
> 
> Hugo.
> 
> 
> 
Actually, it would be because I mis-read your mail, and thought that you 
were proposing 1024:65535 on both sides, a la $HOME_NET 1024:65535 <> 
$EXTERNAL_NET 1024:65535. You were correct, I just misinterpreted what 
you were saying there.

Alex Kirk
Research Analyst
Sourcefire, Inc.


-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic