[Snort-sigs] False Positive on sid 10000009
nduda at ...1896...
Mon Sep 29 14:45:03 EDT 2003
Correct me if I am wrong, but all that sig is doing is alerting all udp
traffic over port 8998. There is no content option. No a very effective
sobig sig is why your getting those alerts.
From: Adam Towarnyckyj [mailto:adamt at ...1917...]
Sent: Friday, September 26, 2003 1:00 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] False Positive on sid 10000009
Hey all. I'm new to the list and new to Snort. I just recently
subscribed to the list and wanted to say hi.
Also, I wanted to let you all know I found an interesting false positive
in a Sobig.F rule I found, I believe, in one of the archived posts.
alert udp $HOME_NET any -> any 8998 (msg: "ALERT!!! Sobig.f
infection!!"; classtype:trojan-activity; sid: 10000009; rev: 1;)
as an alert for the sobig virus. I run a Counter-Strike server and found
out that whenever someone connects to it, the server sends back to port
8998. Its kinda funny actually. Every time someone connects to the
server, I get an alert saying its infected with the Sobig virus. (kinda
hard for a freebsd machine eh?)
Anyways, thanks for all the interesting posts. You're all helping out a
Phone: 928-772-1111 x131
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs