[Snort-sigs] Snort false positive for SID 218

Matt Linton mlinton at ...2291...
Mon Mar 1 07:45:06 EST 2004


Hello! I notice that you have no "known" false positives for SID 218 
(Solaris 2.5 backdoor/trojan).

Today I encountered a false positive of this rule.  The source IP was 
within my network, sending data to a Yahoo Messenger server, apparently 
running on port 23. From the look of the packet log and talking to the 
user, a banner ad for the movie "Freaky Friday" (the text in the alt 
tag) is likely what set off the rule.

Here's a packet capture, scrubbed of our source addresses. (Note: The 
users' yahoo id is also scrubbed out for their confidentiality)


[**] DROP--BACKDOOR MISC solaris 2.5 attempt [**]
02/27-15:08:09.078811 192.168.100.298:1769 -> 216.155.193.185:23
TCP TTL:128 TOS:0x0 ID:43214 IpLen:20 DgmLen:331 DF
***AP*** Seq: 0xB2546C95  Ack: 0x91294198  Win: 0x4470  TcpLen: 20
59 4D 53 47 00 0B 00 00 00 94 00 15 00 00 00 00  YMSG............
DA 67 91 AB 32 36 C0 80 49 4D 56 2C 5B 6E 6F 6E  .g..26..IMV,[non
65 5D 3D 30 2C 30 2C 30 2C 30 2C 30 2C 30 2C 30  e]=0,0,0,0,0,0,0
3B 66 72 65 61 6B 79 66 72 69 64 61 79 3D 30 2C  ;freakyfriday=0,
30 2C 30 2C 30 2C 30 2C 30 2C 31 3B 70 61 6E 61  0,0,0,0,0,1;pana
73 6F 6E 69 63 3D 30 2C 30 2C 30 2C 30 2C 30 2C  sonic=0,0,0,0,0,
30 2C 31 3B 70 75 72 69 6E 61 63 61 74 73 3D 30  0,1;purinacats=0
2C 30 2C 30 2C 30 2C 30 2C 30 2C 31 3B 73 77 61  ,0,0,0,0,0,1;swa
74 3D 30 2C 30 2C 30 2C 30 2C 30 2C 30 2C 31 3B  t=0,0,0,0,0,0,1;
74 6D 6F 62 69 6C 65 3D 30 2C 30 2C 30 2C 30 2C  tmobile=0,0,0,0,
30 2C 30 2C 31 3B C0 80 59 4D 53 47 00 0B 00 00  0,0,1;..YMSG....
80 59 4D 53 47 00 0B 00 00 00 15 00 8A 00 00 00  .YMSG...........
00 00 00 15 00 8A 00 00 00 00 DA 67 91 AB 30 C0  ...........g..0.
39 C0 80


-- 
+---------------------------------------------------
| Regards;
| Matt Linton
| UNIX Systems Administrator
| ASANI Solutions, LLC.
+---------------------------------------------------





More information about the Snort-sigs mailing list