[Emerging-Sigs] False positives due to poor port choices

jonkman@jonkmans.com jonkman at jonkmans.com
Fri Jan 2 16:51:04 EST 2009


Really? You had an ftp session with a one byte packet? Wow, what are the odds!

The change you propose to that sig is a good one though. As far as I know we haven't seen that one use a low port for a cnc. 

As far as sanity checking, we do all we can and have some automated QA. But we rely most on these kinds of feedback reports. Please keep em coming!

Appreciate it. Will get this change posted asap. 

Matt

------Original Message------
From: ANDREW J WOOD
Sender: 
To: emerging-sigs at emergingthreats.net
Sent: Jan 2, 2009 4:43 PM
Subject: [Emerging-Sigs] False positives due to poor port choices

I enjoy using the ET sigs, but end up with a TON of false positives  due to what I believe are poor port choices.  Take the following signature as an example:

emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;)

This rule triggered on an Active FTP session with the source port of 20.  Since this is a "FROM_SERVER" connection, wouldn't the rule would be better written as:

emerging-virus.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server;dsize:1;content:"d"; classtype:trojan-activity; sid:2008335; rev:3;)

There are many rules with "1024: -> any" and "any -> 1024:"

If I'm not out to lunch, is there any sanity checking that can be performed before these rules are posted?

Thanks,
Andy

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


Sent via BlackBerry by AT&T


More information about the Emerging-sigs mailing list