11-13-2003 03:06 AM - edited 03-09-2019 05:30 AM
Am getting a few 'Kazaa GET Request' (11005) alarms, but suspect they may be false positives. Can anything apart from Kazaa trigger this?
11-13-2003 04:36 AM
Me personaly, I have never seen a false positive on 11005. just my 2 cents. What makes you think they are false?
11-13-2003 03:32 PM
are false +ves not possible when the source is a web server or proxy? the signature looks for get/ on the default kazaa port.
11-13-2003 07:48 PM
Yes in the case of HTTP traffic that has been proxied to the default KaZaa port you could get false fires. I would recommend that you capture trigger packets on the firings and inspect them. If you know the destination if the requests is a proxied web server and these prove to be misfires you can exclude the destination for this alarm.
11-14-2003 01:13 AM
The reason I thought some were false positives is that on one alarm, the source address was a colleague who I know wasnt using kazaa to a destination address on our intranet. This would tie in with the explanation given in the previous two posts.
Thanks for your help, much appreciated.
11-14-2003 09:54 AM
With 3.x sensors, it is possible that the server and client get reversed resulting in a flase positive. 4.x does not have this problem. For this to happen, a web server would have to return 'GET /' somewhere in it's data to a client on port 1214. This isn't the normal scenario, but it could happen. We will make a change to the signature that should fix this for the next signature update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide