Snort mailing list archives
2.0 bug in flow:?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 1 Aug 2003 03:24:54 +1200
Hi there I just had a bunch of FPs on the following rule: alert tcp any any -> any 1080 ( sid: 1000012; rev: 1; msg: "Trimble BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|o|3b|"; depth:50; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html;classtype: trojan-activity;) This triggered on a packet from a Win2K server (src port 139) to a client (dst port 1080), that contained the "|3b|o|3b|" content,yada yada. My problem is that I would have read that as "flow:from_server,established" - not "to_server"... Is the space to blame? If so, shouldn't snort sanity check that? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.0 bug in flow:? Jason Haar (Jul 31)
- Re: 2.0 bug in flow:? Matt Kettler (Jul 31)
- Re: 2.0 bug in flow:? Jason Haar (Jul 31)
- Re: 2.0 bug in flow:? Matt Kettler (Jul 31)
- Re: 2.0 bug in flow:? Jason Haar (Aug 01)
- Re: 2.0 bug in flow:? Jason Haar (Jul 31)
- Re: 2.0 bug in flow:? Matt Kettler (Jul 31)