https://community.cisco.com/t5/network-security/malware-backdoor-wow-23-runtime-detection/m-p/3070896#M18507 <P>The string is apparently something found in the WOW 23 trojan horse program network communications. &nbsp;The rule is only enabled today in the Security Over Connectivity rule set which means it probably has more false positives. &nbsp;The real question is do you need a 10 year old Snort rule enabled? &nbsp;</P> Thu, 01 Jun 2017 03:02:58 GMT atatistc 2017-06-01T03:02:58Z https://community.cisco.com/t5/network-security/malware-backdoor-wow-23-runtime-detection/m-p/3070895#M18487 <P>Please explain this rule how it works.</P> <P>&nbsp;</P> <P>Is it detecting the alert based only on the content <STRONG><U>"R|00|23"</U></STRONG>. &nbsp;Please explain how to figure this out.</P> <P>&nbsp;</P> <P><STRONG><U>IPS Rule:</U></STRONG></P> <P>&nbsp;</P> <P>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established; <STRONG><U>content:"R|00|23";</U></STRONG> depth:4; detection_filter:track by_src, count 3, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:6; )</P> <P>&nbsp;</P> Mon, 29 May 2017 14:49:02 GMT https://community.cisco.com/t5/network-security/malware-backdoor-wow-23-runtime-detection/m-p/3070895#M18487 ramachandran.gunasekaran 2017-05-29T14:49:02Z https://community.cisco.com/t5/network-security/malware-backdoor-wow-23-runtime-detection/m-p/3070896#M18507 <P>The string is apparently something found in the WOW 23 trojan horse program network communications. &nbsp;The rule is only enabled today in the Security Over Connectivity rule set which means it probably has more false positives. &nbsp;The real question is do you need a 10 year old Snort rule enabled? &nbsp;</P> Thu, 01 Jun 2017 03:02:58 GMT https://community.cisco.com/t5/network-security/malware-backdoor-wow-23-runtime-detection/m-p/3070896#M18507 atatistc 2017-06-01T03:02:58Z