[Snort-sigs] Correction to signature 1227

Steven Alexander alexander.s at ...1565...
Mon Jun 9 15:23:03 EDT 2003


SID 1227 is currently:

alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound
client connection detected"; flow:established; reference:arachnids,126;
classtype:misc-activity; sid:1227; rev:5;) 



This rule allows for false positives where a machine on an external
network has connected to a server on the local network using the ports
6000-6005.  This rule should be modified to:

alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound
client connection detected"; flow:to_client,established;
reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;) 





More information about the Snort-sigs mailing list