[Emerging-Sigs] very curious FP 2001984
Frank Knobbe
frank at knobbe.us
Thu Jul 10 12:42:30 EDT 2008
On Thu, 2008-07-10 at 11:31 -0400, Matt Jonkman wrote:
> The sigs prior to this that set the flowbit do have flow direction, so
> those are not being honored somehow.
>
> But we can add !$SSH_PORTS to the source in this one. That'll end your
> FPs on it, but there is another issue. Is this sensor overloaded or
> anything? Stream5 configured well?
Nope, you can't. If you set both ports to !$SSH_PORTS, you render the
signature useless. (Think about it :)
Instead, the <> should probably be probably be changed. I thought I had
already done that and created two directional (outbound/inbound) rules
for this. Maybe that was the other set of abnormal SSH sigs.
-Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080710/37c4fde1/attachment.bin
More information about the Emerging-sigs
mailing list