Re: Signatures not firing correctly

scruggss · ‎02-22-2005

I'm having an issue with signatures not firing correctly. Some of the backdoor trojan signatures are firing, the NSDB says that it is looking for a certain string in the packet going over a certain port. This has happened on several signatures. I get the discrepancy when I look at the context buffer and do not see the string that it is looking for.

Are these signatures firing simply by going over a particular point? It seems that the sensing engine is not looking at the packet, just the port.

Other than filtering out thousands of false positives, is there any way to get the signatures to fire correctly?

Any help would be appreciated.

-Steve

craiwill · ‎02-22-2005

If you could provide me with the sig-ids for the signatures you’re describing I will investigate this issue. Several of these signatures use max inspect length and a very short regex which may prevent the entire trigger string from showing up in the context buffer. Any traffic samples you could provide may also be helpful.

Craig Williams

Cisco Systems

scruggss · ‎02-22-2005

The signatures that are firing (at least today) are 9546 and 9476. The traffic seems to be FTP data (source or destination port 20). The most common instance we have is for virus and trojan signatures and 99% of the time is FTP data.

Any assistance would be appreciated.

-Steve

craiwill · ‎02-23-2005

FTP activity may fire these signatures simply because quite a few of the back doors install FTP servers. We have disabled these signatures by default because they detect fairly old back doors and may false positive. That being said we will research these signatures for possible modification in an upcoming signature release. It would be extremely helpful if you could provide a traffic sample of the activity your describing, without one it will be difficult to ensure that any new versions address your issue.