Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
23
Helpful
6
Replies

sig 5894 - subsig 0 -> false positives

cscherb
Level 1
Level 1

‎09-04-2007 08:46 AM - edited ‎03-10-2019 03:46 AM

I have a lot of fales positives of signature 5894 ("Storm Worm") in Subsignature 0 - especialy from host "static.ak.studivz.net".

The signatur definition is just looking for "Server: ngin" in HTTP downloads which is realy unspecific in my point of view.

What are you thinking about this signature ?

Labels:
0 Helpful
6 Replies 6

wsulym
Cisco Employee
Cisco Employee

‎09-04-2007 09:17 AM

The s298 version of the signature will trigger on traffic from that sight. That sight runs nginx v0.5.10.

The s299 version of the same signature released August 28 will not as it more closely constrains the signature to the version of nginx associated with web servers hosting the various trojan binaries.

mhellman
Level 7
Level 7
In response to wsulym

‎09-06-2007 12:05 PM

This signature is still susceptible to false positives and I have seen many. A fidelity rating of 90 is hardly accurate when all your doing is checking for a HTTP SERVER header that is used by a legitimate and freely available web server. Is there any way you could tighten it up by also checking the CONTENT TYPE?

mhellman
Level 7
Level 7
In response to mhellman

‎09-06-2007 12:22 PM

Also, it appears that the 5894-0 has benign triggers caused by DNS queries. I haven't had an opportunity to get a trace, but queries from our mail server to our DNS server have triggered this signature.

h-schupp
Level 1
Level 1
In response to mhellman

‎09-07-2007 06:33 AM

We are seeing the same issue for 5894-1 on our DNS traffic. Given that the sig appears to simply look for one of several hex combos (regex = \xe3[\x0a-\x0f])occuring in any UDP session... it is not really unexpected that there will be quite a few 'random' triggers on DNS. As usual - the determination becomes whether to accept the 'noise' or filter. Our DNS hits are low enough that we chose to accept it as is.

jdenis
Level 1
Level 1
In response to h-schupp

‎09-12-2007 11:30 AM

By default it's configured to look at traffic on #WEBPORTS and 53/tcp and/or 53/udp is not part of the #WEBPORTS listing.

jdenis
Level 1
Level 1
In response to mhellman

‎09-12-2007 11:28 AM

Hi,

I have noticed this also in my infrastructure.

DNS 53/tcp traffic between 2 Unix servers generates events for 5894.0.

I have opened TAC # 606829027 just before checking the forum...

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card