[Snort-sigs] SID: 8477, definitely a "false positive"

Jon Hart jhart at ...288...
Wed Feb 7 10:05:10 EST 2007


On Tue, Feb 06, 2007 at 01:49:55PM -0600, Paul Schmehl wrote:
> I was investigating sid 8477 and came across this clear "false positive":
> 
> The rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0 
> beta runtime detection - file management"; flow:from_server,established; 
> flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2; 
> nocase; threshold:type limit, track by_src, count 1, seconds 300; 
> reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; 
> classtype:trojan-activity; sid:8477; rev:1;)

<snip>

> Every one of these alerts is alerting *correctly* based upon the rules of 
> the sig (content:"|01 03|"; depth:2;).

Don't forget the flowbits part -- this will only trigger if a packet in
the current session matched 'content:"|01 03|"; depth:2;', which still
isn't that uncommon, especially where I tend to see this rule trigger
a false positive -- p2p traffic.
> 
> Something isn't right with this sig.  Is it a typo?  Or does more research 
> need to be done to nail this thing down?

I too can confirm that this has a high rate of false positives.  I've
never actually seen this keylogger and have no pcaps, so I can't think
of ways to tighten it down.

-jon




More information about the Snort-sigs mailing list