[Snort-sigs] False Positive on sid 10000009

Adam Towarnyckyj adamt at ...1917...
Mon Sep 29 13:38:18 EDT 2003

Hey all. I'm new to the list and new to Snort. I just recently
subscribed to the list and wanted to say hi.
Also, I wanted to let you all know I found an interesting false positive
in a Sobig.F rule I found, I believe, in one of the archived posts.
Someone posted:
alert udp $HOME_NET any -> any 8998 (msg: "ALERT!!! Sobig.f
infection!!"; classtype:trojan-activity; sid: 10000009; rev: 1;)
as an alert for the sobig virus. I run a Counter-Strike server and found
out that whenever someone connects to it, the server sends back to port
8998. Its kinda funny actually. Every time someone connects to the
server, I get an alert saying its infected with the Sobig virus. (kinda
hard for a freebsd machine eh?)
Anyways, thanks for all the interesting posts. You're all helping out a
Adam Towarnyckyj
Network Operations
Phone: 928-772-1111 x131
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030929/65b947b3/attachment.html>

More information about the Snort-sigs mailing list