[Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules)

Frank Knobbe frank at ...1978...
Wed Oct 12 19:58:05 EDT 2005


On Wed, 2005-10-12 at 20:09 -0500, Ellen L Mitchell wrote:
> I'm missing something... I've been reviewing my rule set and I have a
> couple questions that google couldn't solve.
> 
> The following Trojan Bot rules (from bleeding-virus) use "flowbits:
> set,trojan;" but I haven't been able to find any rule that uses
> "flowbits: isset,trojan".  Am I missing rules, or missing information
> about how the rules are supposed to work?  I checked bleeding-all just
> in case they weren't included in the -virus set.

Nope, you're not missing anything. I think it was set so that any future
rules might check it. Also, if you have custom rules that might fire on
this sort of trojan activity, you could use the flowbit to suppress
alert from them. 

Since it's only a warning on startup of Snort, we just left the flowbit
set in there since it doesn't break anything. Lazy? Perhaps, but I'd
like to consider it "forward-thinking" instead ;)


> Similarly, the Sasser/Korgo worm rule (SID 2001286 Rev 10) uses
> "flowbits: isset,netbios.lsass.bind.attempt;" but I can't find a rule 
> that sets "netbios.lsass.bind.attempt".

I wondered about that myself. I think that's a remnant from an external
contribution, Joe Stewart from LURHQ I believe. We could certainly clean
that up, but a) it may break things in peoples setups where that is
actually used, and b) again, since it doesn't break anything, it's low
on the priority list.

All, would anyone be affected if we'd remove this?

Thanks,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20051012/c1adf2e1/attachment.sig>


More information about the Snort-sigs mailing list