[Emerging-Sigs] False Positive - ET MALWARE SOCKSv4 Inbound...

dxp dxp2532 at gmail.com
Sun Jan 18 23:24:42 EST 2009

Looks like a FP on 2003283 "ET MALWARE SOCKSv4 Inbound Connect Request
(Linux Source)"

Here's the payload:

        000 : 04 01 20 48 CD 8A B7 FE 10 7E 55 DD               ..

Destination was a user's workstation running Linux without any open
ports.  According to one of the links in the sig "Simple extension to
SOCKS 4 Protocol" the first 2 bytes match, however the last byte should
be NULL which is not the case here.

-=[ dxp ]=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090118/1085fcfe/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090118/1085fcfe/attachment.bin

More information about the Emerging-sigs mailing list