sig 5894 - subsig 0 -> false positives

Unanswered Question
Sep 4th, 2007
User Badges:

I have a lot of fales positives of signature 5894 ("Storm Worm") in Subsignature 0 - especialy from host "static.ak.studivz.net".


The signatur definition is just looking for "Server: ngin" in HTTP downloads which is realy unspecific in my point of view.


What are you thinking about this signature ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.9 (8 ratings)
Loading.
wsulym Tue, 09/04/2007 - 09:17
User Badges:
  • Cisco Employee,

The s298 version of the signature will trigger on traffic from that sight. That sight runs nginx v0.5.10.


The s299 version of the same signature released August 28 will not as it more closely constrains the signature to the version of nginx associated with web servers hosting the various trojan binaries.



mhellman Thu, 09/06/2007 - 12:05
User Badges:
  • Blue, 1500 points or more

This signature is still susceptible to false positives and I have seen many. A fidelity rating of 90 is hardly accurate when all your doing is checking for a HTTP SERVER header that is used by a legitimate and freely available web server. Is there any way you could tighten it up by also checking the CONTENT TYPE?

mhellman Thu, 09/06/2007 - 12:22
User Badges:
  • Blue, 1500 points or more

Also, it appears that the 5894-0 has benign triggers caused by DNS queries. I haven't had an opportunity to get a trace, but queries from our mail server to our DNS server have triggered this signature.

h-schupp Fri, 09/07/2007 - 06:33
User Badges:

We are seeing the same issue for 5894-1 on our DNS traffic. Given that the sig appears to simply look for one of several hex combos (regex = \xe3[\x0a-\x0f])occuring in any UDP session... it is not really unexpected that there will be quite a few 'random' triggers on DNS. As usual - the determination becomes whether to accept the 'noise' or filter. Our DNS hits are low enough that we chose to accept it as is.

Actions

This Discussion