[Snort-users] Rules from Snort don't match Arachnids?

Tom Jacobsen tom at ...1901...
Wed Apr 25 17:49:35 EDT 2001

Hi All,

Snort picked up some events based on the following rule (rulebase comes 
from snort.org).

$EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming 
Traffic"; flags: A+;  refer

To get more information on this rule, I went to www.whitehats.com to lookup 
arachnids 79.  But the database there says the snort rule should be

alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg: 
"IDS79/trojan-active-netmetro"; flags: SA;)

What's the deal?  Who should I believe.  Are there more disconnects between 
snort.org and arachnids?  The triggered events were probably harmless they 
were from EXTERNAL:5031 to WebServer:443.  Most likely innocent https traffic.

What shall I do?  Thoughts? Comments?


More information about the Snort-users mailing list