[Snort-sigs] SID: 2329 - probable false positive

Domain Admin dominic at ...2526...
Tue Jun 1 08:21:34 EDT 2004


I've observed a false positive on SID 2329 (MS-SQL probe response overflow
attempt) - the vulnerability that is linked to MyDoom.

It seems to be triggered by a multiplayer game - took me a while to track that
one down, until I noticed it was only at certain times of the day!  The game in
question is a beta, "Joint Operations" by Novalogic.

Anyway, while this game is running, every now and then, Snort flags it up as
hitting this signature.  A matching piece of data seems to come up every 3-5
minutes and is UDP traffic between ports that are static for the duration of
the game (both server and client).

Attached are a couple pages from ACID with the packet details. If anybody needs
more details, please e-mail me direct (not on the list).


Dominic Cleal
dominic at ...2526...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040601/1dae7666/attachment.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040601/1dae7666/attachment-0001.htm>

More information about the Snort-sigs mailing list