BACKDOOR QAZ Worm Client Login access? False positive?

[sart () trialgraphix com]

Hello all.  This is my first post! 
I am a newbie to snort, and believe I have gotten my first false positive. 
 I searched the archives and googled and it seems that 2 people have 
posted this same scenario before, but I couldn't find any replies. 

The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access."
I have the sensor on a port mirroring all traffic to the DMZ. 
The Source address in the "SID 108" alert is the internal address of our 
SMTP server, and the Destination is 192.6.1.3. 
The Payload is [length = 5, 000 : 00 00 00 00 45]

The write-up in the snort sig database was very specific and told me what 
reg key to look for, and what file to look for.  The write-up said that 
false positives were not likely, but I searched for the reg key and the 
supposed Trojan file on every computer on the DMZ and found nothing 
related to the sig write-up. 

I realize this is 99 percent likely a false positive but any advice as to 
how I can decipher that myself in the future would be greatly appreciated. 
 Like they say, catch a fish for a man and he will eat for a day, but 
teach him how to fish and he will eat forever. 

Thanks Guys. 
Seth Art
Computer Support Specialist
TrialGraphix - Exhibits, Technologies, and Trial Consulting
800-334-5403
305-576-5400
Fax: 305-576-0188
http://www.trialgraphix.com


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users