[Emerging-Sigs] False positives due to poor port choices

ANDREW J WOOD AJWOOD at sentara.com
Fri Jan 2 16:43:31 EST 2009


I enjoy using the ET sigs, but end up with a TON of false positives  due to what I believe are poor port choices.  Take the following signature as an example:

emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;)

This rule triggered on an Active FTP session with the source port of 20.  Since this is a "FROM_SERVER" connection, wouldn't the rule would be better written as:

emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;)

There are many rules with "1024: -> any" and "any -> 1024:"

If I'm not out to lunch, is there any sanity checking that can be performed before these rules are posted?

Thanks,
Andy



More information about the Emerging-sigs mailing list