[Snort-users] BACKDOOR QAZ Worm Client Login access? False positive?

sart at ...11843... sart at ...11843...
Thu May 20 12:01:13 EDT 2004


Hello all.  This is my first post! 
I am a newbie to snort, and believe I have gotten my first false positive. 
 I searched the archives and googled and it seems that 2 people have 
posted this same scenario before, but I couldn't find any replies. 

The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access."
I have the sensor on a port mirroring all traffic to the DMZ. 
The Source address in the "SID 108" alert is the internal address of our 
SMTP server, and the Destination is 192.6.1.3. 
The Payload is [length = 5, 000 : 00 00 00 00 45]

The write-up in the snort sig database was very specific and told me what 
reg key to look for, and what file to look for.  The write-up said that 
false positives were not likely, but I searched for the reg key and the 
supposed Trojan file on every computer on the DMZ and found nothing 
related to the sig write-up. 

I realize this is 99 percent likely a false positive but any advice as to 
how I can decipher that myself in the future would be greatly appreciated. 
 Like they say, catch a fish for a man and he will eat for a day, but 
teach him how to fish and he will eat forever. 

Thanks Guys. 
Seth Art
Computer Support Specialist
TrialGraphix - Exhibits, Technologies, and Trial Consulting
800-334-5403
305-576-5400
Fax: 305-576-0188
http://www.trialgraphix.com




More information about the Snort-users mailing list