[Snort-sigs] False positive on rules SID=2182

Patrick Monfette patrick.monfette at ...2366...
Mon Apr 5 07:00:07 EDT 2004


Hi,

    I hopes this helps you out for tuning this rule of maybe just
include the information in your database.

# This is a template for submitting snort signature descriptions to

# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  BACKDOOR typot trojan traffic

--
Sid: 2182

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: Oracle server replicating to another server. The source Oracle server is connecting to another oracle
		 server for replication of data. There's nothing bad about it. Details from ACID at the end of my message.

--
False Negatives:

--
Corrective Action:

--
Contributors: Patrick Monfette <patrick.monfette at ...2366...>

-- 
Additional References:

--

               Meta 
ID #
Time
Triggered
Signature
1 - 27180
2004-03-31
07:53:21
[snort]
BACKDOOR
typot trojan
traffic
 Sensor
name
interface
filter
IDS1
eth1
 none 
      Alert
      Group
  none 

                IP 
source addr
 
dest addr  
Ver
Hdr
Len
TOS
length
ID
flags
offset
TTL
chksum
10.50.205.3
10.50.205.11
4
5
0
48
27516
0
0
126
8921
    FQDN
Source Name
Dest. Name
 Unable to
resolve
address 
 Unable to
resolve
address 
     Options
    none 
                TCP 
source
port
dest
 
port  
R
1
R
0
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
seq #
ack
offset
res
window
urp
chksum
2351
1522






X 

1472951573
0
7
0
64240
0
65033
Options

code
length
data
#1
MSS
2
0564
#2
NOP
0

#3
NOP
0

#4
SACKOK
0

              Payload 

  none 

Patrick Monfette
Systems, Network and Security Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040405/bfda6677/attachment.html>


More information about the Snort-sigs mailing list