[Snort-sigs] False Positive on sid 10000009

Joe Stewart jstewart at ...5...
Mon Sep 29 14:32:10 EDT 2003

On Friday 26 September 2003 12:59 pm, Adam Towarnyckyj wrote:
> Also, I wanted to let you all know I found an interesting false
> positive in a Sobig.F rule I found, I believe, in one of the archived
> posts. Someone posted:
> alert udp $HOME_NET any -> any 8998 (msg: "ALERT!!! Sobig.f
> infection!!"; classtype:trojan-activity; sid: 10000009; rev: 1;)
> as an alert for the sobig virus. I run a Counter-Strike server and
> found out that whenever someone connects to it, the server sends back
> to port 8998. Its kinda funny actually. Every time someone connects
> to the server, I get an alert saying its infected with the Sobig
> virus. (kinda hard for a freebsd machine eh?)

Yes, that is an example of a poorly thought-out rule. Alerting on port 
number alone is guaranteed to have false positives. A better rule would 

alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"Sobig.E-F Trojan 
Site Download Request"; content:"|5c bf 01 29 ca 62 eb f1|"; dsize:8; 
reference:url,www.lurhq.com/sobig-f.html; classtype:trojan-activity; 
sid:1000021; rev:1;)


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the Snort-sigs mailing list