Project

General

Profile

Actions

Bug #283

closed

Invalid trigger of rule 1:2008100:10 (running Suricata 1.0.3 on FC14)

Added by John Pile over 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Rule 2008100 is being triggered when I access a management page on a Splunk server in my LAN:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2008100; rev:10;)

Alarm:

04/18/11-19:37:56.330768  [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.160:8000 -> 167.235.7.71:36388 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]

I'm unable to find the string "cfg" (case insensitive) within the TCP conversation that includes the packet matching that timestamp. I masked out a password from the enclosed content... it didn't contain that string either ;-).


Files

2008100.txt (1.03 MB) 2008100.txt Wireshark export John Pile, 04/18/2011 03:05 PM
snort.rules.gz (684 KB) snort.rules.gz Ruleset used John Pile, 04/19/2011 10:29 AM
issue283.pcap (17.2 KB) issue283.pcap Peter Manev, 04/26/2011 12:34 PM
suricata.yaml (16 KB) suricata.yaml John Pile, 04/27/2011 06:10 PM
config.log (69.4 KB) config.log John Pile, 04/28/2011 04:36 PM
trigger.pcap (4.35 KB) trigger.pcap John Pile, 04/29/2011 11:26 AM
Actions

Also available in: Atom PDF