[Snort-sigs] SID: 8477, definitely a "false positive"

Paul Schmehl pauls at ...1311...
Tue Feb 6 14:49:55 EST 2007


I was investigating sid 8477 and came across this clear "false positive":

The rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0 
beta runtime detection - file management"; flow:from_server,established; 
flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2; 
nocase; threshold:type limit, track by_src, count 1, seconds 300; 
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; 
classtype:trojan-activity; sid:8477; rev:1;)

The packet:
 length = 48

000 : 01 03 AD 76 87 8E F1 FC 35 C6 E0 27 AD 0A 6B 99   ...v....5..'..k.
010 : 64 6E 99 F6 25 E2 90 2C 4C 5D 82 6E 16 13 92 0D   dn..%..,L].n....
020 : E8 8C 7D C4 2C 88 2A 34 33 B5 1E 3D FB B9 6D BE   ..}.,.*43..=..m.

Both ends of this conversation are FreeBSD boxes - workstation and server. 
It's hard to see how a *Windows-only* keystroke logger could be running on 
my FreeBSD workstation.  (And no, I'm not running vmware or other windows 
emulation software.)

What I don't understand is how looking for SOH ETX in the first two bytes 
is going to be isolated to this keystroke logger.

I've got hundreds of these alerts.  Some are from Solaris boxes as well. 
In fact the number one "offender" is a Solaris 10 server that's a general 
purpose server used by students, staff and faculty.  (SunOS apache 5.10 
Generic_118833-18 sun4u sparc SUNW,Sun-Fire-880)

Every one of these alerts is alerting *correctly* based upon the rules of 
the sig (content:"|01 03|"; depth:2;).

Something isn't right with this sig.  Is it a typo?  Or does more research 
need to be done to nail this thing down?

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070206/95a5f59a/attachment.bin>


More information about the Snort-sigs mailing list