[Emerging-Sigs] FP on 2011031?

Weir, Jason jason.weir at nhrs.org
Fri Oct 8 10:04:57 EDT 2010


I'm running 2.8.6.1 as well..

And just like magic they stopped triggering sometime last night...  No
changes on my end..  Gotta love it when that happens..

-J

-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of ilya
Sent: Friday, October 08, 2010 3:31 AM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] FP on 2011031?



On 08.10.2010 08:16, waldo kitty wrote:
> On 10/7/2010 16:36, evilghost at packetmail.net wrote:
>> I really wish I had more to offer here.  I just can't fathom why this

>> rule is firing.  We ran it with 2.8.5.x and even now with 2.8.6.1 
>> without any false positives.
>>
>> I rarely, if ever, see it fire.  I know this doesn't help your 
>> situation but I am putting thought into it.
>>
>> Double-checked and we're running 2011031; anyone else having issues?
> we're running it here in 2.8.6.1 with the VRT compile-time options and

> the VRT snort.conf... i'm not seeing it firing at all on my live 
> traffic... i don't know what the problem might be over there at 
> jason's place...
>
The same here: it fires on not all-capitals "GET" only.
(I'm just learning how to deal with snort, traversing through rule files

and let some of rules fire, checking system load. Just tested 2011031 
with different strings)
>> What version of Snort are you using Jason?
> FWIW: for the time being, mine is...
>      ,,_     -*>  Snort!<*-
>     o"  )~   Version 2.8.6.1 GRE (Build 39)
>      ''''    By Martin Roesch&  The Snort Team:
http://www.snort.org/snort/snort-team
>              Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>              Using PCRE version: 7.8 2008-09-05
>              Using ZLIB version: 1.2.3
Occasionally, mine is almost the same:
    ,,_     -*> Snort! <*-
   o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
            Using PCRE version: 8.02 2010-03-19
            Using ZLIB version: 1.2.3

>> Just don't see why this rule would fire on all HTTP GETs, it should 
>> never fire on HTTP "GET"...


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Emerging-sigs mailing list