08-29-2003 07:11 AM - edited 03-09-2019 04:36 AM
I am receiving quite a few false +ve for this signature.
The signature should only fire when it is sent to service port = 69 but I receive the signature for other ports. The table below show fields from the log file captured at the sensor. Fields 18 and 19 are the src and dst ports
I am using signature update s49. I have included my signature description below as it was captured from the sensor. Is any one else on the list seeing this?
| cut -d , -f13,16,17,18,19 | sort | uniq
ALARM DESCRIPTION id, SRC IP, DST IP, SRCPORT,DSTPORT
4613,my.server,131.175.60.253,0,1650
4613,my.server,137.193.222.54,0,1864
4613,my.server,139.92.143.102,0,1769
4613,my.server,139.92.226.158,0,1175
4613,my.server,151.27.11.21,0,1087
4613,my.server,158.169.162.91,0,2201
4613,my.server,158.169.162.91,0,2209
4613,my.server,193.121.57.2,0,1543
4613,my.server,193.159.69.227,0,3472
4613,my.server,193.2.52.201,0,1839
4613,my.server,193.77.156.161,0,1735
4613,my.server,194.196.100.34,0,1482
4613,my.server,194.196.100.34,0,2418
4613,my.server,194.196.100.34,0,3341
4613,my.server,194.228.225.131,0,3099
4613,my.server,194.254.77.154,0,4905
4613,my.server,194.52.86.124,0,1267
4613,my.server,194.67.183.7,0,1955
4613,my.server,194.78.198.254,0,47853
4613,my.server,195.103.110.131,0,1266
4613,my.server,195.197.189.73,0,4974
4613,my.server,195.251.117.169,0,3147
4613,my.server,195.85.176.78,0,2512
4613,my.server,202.123.161.241,0,7000
4613,my.server,203.135.9.247,0,3610
Current Signature: Engine STRING.UDP SIGID 4613
SigName: TFTP Filename Buffer Overflow
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireAll
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - LimitSummary =
7 - MaxInspectLength =
8 - MinHits =
9 - MinMatchLength =
10 - ResetAfterIdle = 15
11 * ServicePorts = 69
12 - SigComment =
13 - SigStringInfo = GET/PUT filename
14 - ThrottleInterval = 15
>nrvers
Application Versions for ??.??
The Version of the Sensor is: 3.1(3)S49
postoffice v220 (Release) 01/12/14-20:01
fileXfer v175 (Release) 01/07/11-21:48
logger v220 (Release) 01/12/14-19:59
sap v220 (Release) 01/12/14-20:01
sensor v262 (Release) 02/05/08-17:28
manage v220 (Release) 01/12/14-20:00
09-03-2003 07:09 AM
Is no one else on the list seeing this problem?
Can anyone tell me what the "*" means next to ServicePorts = 69.
Where in the signature does it look for non-printable characters and what non-printable characters does the signature look for?
09-03-2003 02:13 PM
This is a response to both of your posts. First, you will notice the source port for all of your alarms is 0. This is known bug in 3.1(3). There is a 3.1(4) service pack that will fix this problem. Second, the "*" next to the ServicePorts parameter means that it is a required field. Lastly, we define non-printable characters as those in the ASCII range of \x80 to \xFF. These characters may indicate the precense of shell code in the filename of a TFTP request. A false postive is possible if non-ASCII character sets are used, but this is a rare occurrence in our experience.
09-04-2003 12:59 AM
Hi Matthew,
Thanks for the reply. I guess that I should have read the readme.txt before I posted the question. Thanks once again. The assistance is very appreciated
Regards
Darin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: