[Snort-users] 2.0 bug in flow:?

Jason Haar Jason.Haar at ...294...
Thu Jul 31 09:12:24 EDT 2003


Hi there

I just had a bunch of FPs on the following rule:

alert tcp any any -> any 1080 ( sid: 1000012; rev: 1; msg: "Trimble BugBear
B Backdoor Attack"; flow: to_server,established; content: "|3b|o|3b|";
depth:50;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;classtype:
trojan-activity;)


This triggered on a packet from a Win2K server (src port 139) to a client
(dst port 1080), that contained the "|3b|o|3b|" content,yada yada.

My problem is that I would have read that as "flow:from_server,established"
- not "to_server"...

Is the space to blame? If so, shouldn't snort sanity check that?

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list