Snort mailing list archives
BACKDOOR QAZ Worm Client Login access? False positive?
From: sart () trialgraphix com
Date: Thu, 20 May 2004 14:57:55 -0400
Hello all. This is my first post! I am a newbie to snort, and believe I have gotten my first false positive. I searched the archives and googled and it seems that 2 people have posted this same scenario before, but I couldn't find any replies. The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access." I have the sensor on a port mirroring all traffic to the DMZ. The Source address in the "SID 108" alert is the internal address of our SMTP server, and the Destination is 192.6.1.3. The Payload is [length = 5, 000 : 00 00 00 00 45] The write-up in the snort sig database was very specific and told me what reg key to look for, and what file to look for. The write-up said that false positives were not likely, but I searched for the reg key and the supposed Trojan file on every computer on the DMZ and found nothing related to the sig write-up. I realize this is 99 percent likely a false positive but any advice as to how I can decipher that myself in the future would be greatly appreciated. Like they say, catch a fish for a man and he will eat for a day, but teach him how to fish and he will eat forever. Thanks Guys. Seth Art Computer Support Specialist TrialGraphix - Exhibits, Technologies, and Trial Consulting 800-334-5403 305-576-5400 Fax: 305-576-0188 http://www.trialgraphix.com ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BACKDOOR QAZ Worm Client Login access? False positive? sart (May 20)
- Message not available
- Re: BACKDOOR QAZ Worm Client Login access? Matt Kettler (May 20)
- Re: BACKDOOR QAZ Worm Client Login access? sart (May 21)
- Re: BACKDOOR QAZ Worm Client Login access? Matt Kettler (May 20)
- Message not available