On Tue, Feb 06, 2007 at 01:49:55PM -0600, Paul Schmehl wrote:
I was investigating sid 8477 and came across this clear "false positive":
The rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0
beta runtime detection - file management"; flow:from_server,established;
flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2;
nocase; threshold:type limit, track by_src, count 1, seconds 300;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726;
classtype:trojan-activity; sid:8477; rev:1;)
<snip>
Every one of these alerts is alerting *correctly* based upon the rules of
the sig (content:"|01 03|"; depth:2;).
Don't forget the flowbits part -- this will only trigger if a packet in
the current session matched 'content:"|01 03|"; depth:2;', which still
isn't that uncommon, especially where I tend to see this rule trigger
a false positive -- p2p traffic.
Something isn't right with this sig. Is it a typo? Or does more research
need to be done to nail this thing down?
I too can confirm that this has a high rate of false positives. I've
never actually seen this keylogger and have no pcaps, so I can't think
of ways to tighten it down.
-jon
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
