[Snort-sigs] Possible false positives for rule 1:1983, 1:1980 and 1:1981

Alex Kirk alex.kirk at ...435...
Fri Aug 27 08:29:04 EDT 2004


Could you please send along a packet capture?

Alex Kirk
Research Analyst
Sourcefire, Inc.

>Rule:  
>alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat
>3.1 Connection attempt [4120]"; content:"00"; depth:2;
>reference:nessus,10053; reference:mcafee,98574; classtype:misc-activity;
>sid:1983; rev:2;) 
>--
>Sid:
>1:1983
>--
>Summary:
>
>--
>Impact:
>
>--
>Detailed Information:
>
>--
>Affected Systems:
>
>--
>Attack Scenarios:
>
>--
>Ease of Attack:
>
>--
>False Positives:
>Appears as though Novell NDPS traffic from network printers simulates
>this rule.
>
>--
>False Negatives:
>
>--
>Corrective Action:
>
>--
>Contributors:
>
>  
>





More information about the Snort-sigs mailing list