[Emerging-Sigs] FP on 2011031?
jason.weir at nhrs.org
Fri Oct 8 10:04:57 EDT 2010
I'm running 22.214.171.124 as well..
And just like magic they stopped triggering sometime last night... No
changes on my end.. Gotta love it when that happens..
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of ilya
Sent: Friday, October 08, 2010 3:31 AM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] FP on 2011031?
On 08.10.2010 08:16, waldo kitty wrote:
> On 10/7/2010 16:36, evilghost at packetmail.net wrote:
>> I really wish I had more to offer here. I just can't fathom why this
>> rule is firing. We ran it with 2.8.5.x and even now with 126.96.36.199
>> without any false positives.
>> I rarely, if ever, see it fire. I know this doesn't help your
>> situation but I am putting thought into it.
>> Double-checked and we're running 2011031; anyone else having issues?
> we're running it here in 188.8.131.52 with the VRT compile-time options and
> the VRT snort.conf... i'm not seeing it firing at all on my live
> traffic... i don't know what the problem might be over there at
> jason's place...
The same here: it fires on not all-capitals "GET" only.
(I'm just learning how to deal with snort, traversing through rule files
and let some of rules fire, checking system load. Just tested 2011031
with different strings)
>> What version of Snort are you using Jason?
> FWIW: for the time being, mine is...
> ,,_ -*> Snort!<*-
> o" )~ Version 184.108.40.206 GRE (Build 39)
> '''' By Martin Roesch& The Snort Team:
> Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> Using PCRE version: 7.8 2008-09-05
> Using ZLIB version: 1.2.3
Occasionally, mine is almost the same:
,,_ -*> Snort! <*-
o" )~ Version 220.127.116.11 IPv6 GRE (Build 39)
'''' By Martin Roesch & The Snort Team:
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3
>> Just don't see why this rule would fire on all HTTP GETs, it should
>> never fire on HTTP "GET"...
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
More information about the Emerging-sigs