[Snort-users] BACKDOOR QAZ Worm Client Login access? False positive?

sart at ...11843... sart at ...11843...
Thu May 20 12:01:13 EDT 2004

Hello all.  This is my first post! 
I am a newbie to snort, and believe I have gotten my first false positive. 
 I searched the archives and googled and it seems that 2 people have 
posted this same scenario before, but I couldn't find any replies. 

The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access."
I have the sensor on a port mirroring all traffic to the DMZ. 
The Source address in the "SID 108" alert is the internal address of our 
SMTP server, and the Destination is 
The Payload is [length = 5, 000 : 00 00 00 00 45]

The write-up in the snort sig database was very specific and told me what 
reg key to look for, and what file to look for.  The write-up said that 
false positives were not likely, but I searched for the reg key and the 
supposed Trojan file on every computer on the DMZ and found nothing 
related to the sig write-up. 

I realize this is 99 percent likely a false positive but any advice as to 
how I can decipher that myself in the future would be greatly appreciated. 
 Like they say, catch a fish for a man and he will eat for a day, but 
teach him how to fish and he will eat forever. 

Thanks Guys. 
Seth Art
Computer Support Specialist
TrialGraphix - Exhibits, Technologies, and Trial Consulting
Fax: 305-576-0188

More information about the Snort-users mailing list