[Snort-sigs] False Positive on SID 1983

Sam Evans wintrmte at ...2420...
Mon Oct 24 10:21:47 EDT 2005


We are getting a lot of false positives on SID 1983. It seems like looking
for 00 in to be present in depth of 2 isn't very solid. The majority of the
false positives we are seeing are in SNMP 161 traffic.
 The signature is this:
 alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR
DeepThroat 3.1Connection attempt [4120]"; content:"00"; depth:2;
reference:mcafee,98574;
reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;)
 I'm not sure how to revise this signature since I haven't tested DeepThroat
and analyzed its traffic. But, I thought I would point out that it is a bit
of a noisy false positive.
 -Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20051024/a2dde76b/attachment.html>


More information about the Snort-sigs mailing list