wrong flow side on very old sid 1675 (always present on SEU 493)

[rmkml <rmkml () yahoo fr>]

Hi,
Maybe Im find a wrong flow side on very old sid 1675:
  oracle.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; 
flow:from_server,established;
  content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; 
nocase; classtype:suspicious-login; sid:1675; rev:4;)
but this sig always exist on last SEU 493.
Regards
Rmkml

http://twitter.com/rmkml


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!