[Snort-sigs] False Positive on sid 10000009
adamt at ...1917...
Mon Sep 29 13:38:18 EDT 2003
Hey all. I'm new to the list and new to Snort. I just recently
subscribed to the list and wanted to say hi.
Also, I wanted to let you all know I found an interesting false positive
in a Sobig.F rule I found, I believe, in one of the archived posts.
alert udp $HOME_NET any -> any 8998 (msg: "ALERT!!! Sobig.f
infection!!"; classtype:trojan-activity; sid: 10000009; rev: 1;)
as an alert for the sobig virus. I run a Counter-Strike server and found
out that whenever someone connects to it, the server sends back to port
8998. Its kinda funny actually. Every time someone connects to the
server, I get an alert saying its infected with the Sobig virus. (kinda
hard for a freebsd machine eh?)
Anyways, thanks for all the interesting posts. You're all helping out a
Phone: 928-772-1111 x131
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs