[Snort-sigs] SID: 8477, definitely a "false positive"
jhart at ...288...
Wed Feb 7 10:05:10 EST 2007
On Tue, Feb 06, 2007 at 01:49:55PM -0600, Paul Schmehl wrote:
> I was investigating sid 8477 and came across this clear "false positive":
> The rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0
> beta runtime detection - file management"; flow:from_server,established;
> flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2;
> nocase; threshold:type limit, track by_src, count 1, seconds 300;
> classtype:trojan-activity; sid:8477; rev:1;)
> Every one of these alerts is alerting *correctly* based upon the rules of
> the sig (content:"|01 03|"; depth:2;).
Don't forget the flowbits part -- this will only trigger if a packet in
the current session matched 'content:"|01 03|"; depth:2;', which still
isn't that uncommon, especially where I tend to see this rule trigger
a false positive -- p2p traffic.
> Something isn't right with this sig. Is it a typo? Or does more research
> need to be done to nail this thing down?
I too can confirm that this has a high rate of false positives. I've
never actually seen this keylogger and have no pcaps, so I can't think
of ways to tighten it down.
More information about the Snort-sigs