Hosting Provided By

[Snort-sigs] False positive on rules SID=2182

From: Patrick Monfette <patrick.monfette(at)scirso.com>
Date: Wed Mar 31 2004 - 08:56:24 EST

Hi,

I hopes this helps you out for tuning this rule of maybe just include the information in your database.

# This is a template for submitting snort signature descriptions to

# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
#

Rule: BACKDOOR typot trojan traffic

--

Sid: 2182

--

Summary:

--

Impact:

--

Detailed Information:

Do you need help?

--

Affected Systems:

--

Attack Scenarios:

--

Ease of Attack:

--

False Positives: Oracle server replicating to another server. The source Oracle server is connecting to another oracle

server for replication of data. There's nothing bad about it. Details from ACID at the end of my message.

--

False Negatives:

--

Corrective Action:

--

Contributors: Patrick Monfette <patrick.monfette@scirso.com>

Do you need more help?

--

Additional References:

Meta
ID #
Time
Triggered
Signature
1 - 27180
2004-03-31
07:53:21
[snort]
BACKDOOR
typot trojan
traffic
Sensor
name
interface
filter
IDS1
eth1
none

      Alert
      Group

none

IP

source addr

dest addr
Ver
Hdr
Len
TOS
length
ID
flags
offset
TTL
chksum
10.50.205.3
10.50.205.11
4
5
0
48
27516
0
0
126
8921

FQDN
Source Name
Dest. Name
Unable to
resolve
address
Unable to
resolve
address

Options
none

TCP

source
port
dest

port
R
1
R
0
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
seq #
ack
offset
res
window
urp
chksum
2351
1522

Can we help you?

1472951573
0
7
0
64240
0
65033
Options

code
length
data
#1
MSS
2
0564
#2
NOP
0

#3
NOP
0

#4
SACKOK
0

Payload

none

Patrick Monfette
Systems, Network and Security Administrator

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Apr 5 11:08:49 2004

This message: [ Message body ]
Next message: Dr. Christoph Wegener: "Re: [Snort-sigs] Snort SIG update - false positives on SID 2329"
Previous message: Brian: "Re: [Snort-sigs] Rule format anomaly for sid 1024 & 1809"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:46 EDT

Can't find what you're looking for?