[Snort-sigs] FP for psyBNC (493)

Chris Edwards chris at ...3174...
Mon Aug 14 08:27:13 EDT 2006


We just had a false positive where a user (ok, me) read an email
where the email body text contained a psyBNC banner string

(the email was discussing an incident involving psyBNC...)

Looking at the rule, the FP is not surprising, as it appears to look for 
the string *anywhere* in the packet:

  alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access";
   flow:from_server,established; content:"Welcome!psyBNC at ...327...";
   classtype:bad-unknown; sid:493; rev:5;)

A real psyBNC banner (on a hacked machine etc) will always be at the start 
of the packet.  In every case we've seen, the string being tested for 
appears after a colon - e.g:

  :Welcome!psyBNC at ...327... NOTICE * :MaZuRRel

Thus, I suggest adding a "depth: 25" condition to this rule (hope I've 
counted right) which should eliminate most FPs and speed things up too.


Chris Edwards, Glasgow University Computing Service

More information about the Snort-sigs mailing list