On 09/11/11 03:05, Nick Morrott wrote:
> On 8 November 2011 10:58, Mike Perkins<mikep at randomtraveller.org.uk>  wrote:
> Glad you've worked out where the problem was/is.
> After a little detective work, I think I may have worked out why Snort
> was blocking the grabber run (and triggering a false positive block):
> i) Looking at http://isc.sans.edu/diary.html?storyid=2540 suggests
> that the Snort rule causing the block has contents:
> alert tcp $EXTERNAL_NET $HTTP_PORTS ->  $HOME_NET any (msg:"WEB-CLIENT
> Microsoft ANI file parsing overflow"; flow:established,from_server;
> content:"RIFF"; nocase; content:"anih"; nocase;
> byte_test:4,>,36,0,relative,little; reference:cve,2004-1049;
> classtype:attempted-user; sid:3079; rev:3;)
> ii) As you mentioned that the run stopped immediately after retrieving
> the Filmflex Previews listings, I grabbed a copy:
> http://xmltv.radiotimes.com/xmltv/2505.dat
> iii) The Snort rule above is looking for content that includes the
> string "anih" - looking through the Filmflex listings reveals an entry
> for the film "Saint" which features actress Escha Tanihatu.
> iv) My theory (as I have no knowledge of how Snort rules work fully)
> therefore is that the listings data for Filmflex is parsed as it comes
> in across the wire, triggers the Snort rule due to the presence of
> "Tanihatu", and blocks all future retrievals from
> xmltv.radiotimes.com.
> To remedy this situation, remove (or comment out) the Filmflex entry
> in your tv_grab_uk_rt config file and retry your regular grabber runs.
> Additionally, as this appears to be a genuine false positive
> detection, should it be reported to the Snort team?
Brilliant! I may probably know even less about Snort than you do, but your 
explanation seems entirely plausible.

I'm not sure why I have the 'Filmflex Preview Channel' still in the lineup. We 
don't use it, so I'll get rid of it.

If I can find out how to notify the Snort people with this one, I will.

Thanks for all your help.


Mike Perkins

