[Snort-users] Rules from Snort don't match Arachnids?
tom at ...1901...
Wed Apr 25 17:49:35 EDT 2001
Snort picked up some events based on the following rule (rulebase comes
$EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming
Traffic"; flags: A+; refer
To get more information on this rule, I went to www.whitehats.com to lookup
arachnids 79. But the database there says the snort rule should be
alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg:
"IDS79/trojan-active-netmetro"; flags: SA;)
What's the deal? Who should I believe. Are there more disconnects between
snort.org and arachnids? The triggered events were probably harmless they
were from EXTERNAL:5031 to WebServer:443. Most likely innocent https traffic.
What shall I do? Thoughts? Comments?
More information about the Snort-users