[Snort-sigs] False Positive on sid 10000009

Nick Duda nduda at ...1896...
Mon Sep 29 14:45:03 EDT 2003


Correct me if I am wrong, but all that sig is doing is alerting all udp
traffic over port 8998. There is no content option. No a very effective
sobig sig is why your getting those alerts. 
 
- Nick
 
-----Original Message-----
From: Adam Towarnyckyj [mailto:adamt at ...1917...] 
Sent: Friday, September 26, 2003 1:00 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] False Positive on sid 10000009
 
Hey all. I'm new to the list and new to Snort. I just recently
subscribed to the list and wanted to say hi.
Also, I wanted to let you all know I found an interesting false positive
in a Sobig.F rule I found, I believe, in one of the archived posts.
Someone posted:
alert udp $HOME_NET any -> any 8998 (msg: "ALERT!!! Sobig.f
infection!!"; classtype:trojan-activity; sid: 10000009; rev: 1;)
as an alert for the sobig virus. I run a Counter-Strike server and found
out that whenever someone connects to it, the server sends back to port
8998. Its kinda funny actually. Every time someone connects to the
server, I get an alert saying its infected with the Sobig virus. (kinda
hard for a freebsd machine eh?)
Anyways, thanks for all the interesting posts. You're all helping out a
lot.
 
Adam Towarnyckyj
Network Operations
CommSpeed
http://www.commspeed.net/
Phone: 928-772-1111 x131
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030929/f18503ea/attachment.html>


More information about the Snort-sigs mailing list