<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@...1918...">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:ApplyBreakingRules/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
   <w:UseFELayout/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;
        mso-font-alt:\5B8B\4F53;
        mso-font-charset:134;
        mso-generic-font-family:auto;
        mso-font-pitch:variable;
        mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;
        mso-font-charset:134;
        mso-generic-font-family:auto;
        mso-font-pitch:variable;
        mso-font-signature:3 135135232 16 0 262145 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:SimSun;}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:windowtext;}
span.SpellE
        {mso-style-name:"";
        mso-spl-e:yes;}
span.GramE
        {mso-style-name:"";
        mso-gram-e:yes;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */ 
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hey all. I’m new to the list and new to Snort. I just
recently subscribed to the list and wanted to say hi.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Also, I wanted to let you all know I found an interesting
false positive in a <span class=SpellE>Sobig.F</span> rule I found, I believe,
in one of the archived posts.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Someone posted:<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>alert</span></font></span><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <span
class=SpellE>udp</span> $HOME_NET any -> any 8998 (<span class=SpellE>msg</span>:
"ALERT!!! <span class=SpellE>Sobig.f</span> infection!!<span class=GramE>";</span>
<span class=SpellE>classtype:trojan</span>-activity; <span class=SpellE>sid</span>:
10000009; rev: 1;)<o:p></o:p></span></font></p>

<p class=MsoNormal><span class=GramE><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>as</span></font></span><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> an alert for the <span
class=SpellE>sobig</span> virus. I run a Counter-Strike server and found out
that whenever someone connects to it, the server sends back to port 8998. Its <span
class=SpellE>kinda</span> funny actually. Every time someone connects to the
server, I get an alert saying <span class=GramE>its</span> infected with the <span
class=SpellE>Sobig</span> virus. (<span class=SpellE><span class=GramE>kinda</span></span>
hard for a <span class=SpellE>freebsd</span> machine eh?)<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Anyways, thanks for all the interesting posts. You’re
all helping out a lot.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;mso-no-proof:yes'>Adam Towarnyckyj</span></font><span
style='mso-no-proof:yes'><o:p></o:p></span></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;mso-no-proof:yes'>Network Operations</span></font><span
style='mso-no-proof:yes'><o:p></o:p></span></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;mso-no-proof:yes'>CommSpeed</span></font><span
style='mso-no-proof:yes'><o:p></o:p></span></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;mso-no-proof:yes'><a href="http://www.commspeed.net/">http://www.commspeed.net/</a></span></font><span
style='mso-no-proof:yes'><o:p></o:p></span></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;mso-no-proof:yes'>Phone: 928-772-1111 x131</span></font><span
style='mso-no-proof:yes'><o:p></o:p></span></p>

<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>

</div>

</body>

</html>