[Snort-users] False positives on mysql traffic

James Dickenson jdickenson at ...11827...
Mon Feb 23 21:44:52 EST 2015


Has anyone else noticed these signatures creating false positives on mysql
traffic (usually 3306).

Anyone have any thoughts on how to tune it out?



alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant registration message";
flow:to_server,established; content:"|41 00 00 00 03|"; depth:5;
dsize:<160; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop; reference:url,www.circl.lu/pub/tr-23/;
classtype:trojan-activity; sid:32609; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established;
content:"|01 00 00 00 02|"; depth:5; dsize:5; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop; reference:url,
www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32610; rev:1;)


-James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150223/7e68552b/attachment.html>


More information about the Snort-users mailing list