IDS111/TROJAN_TROJAN-ACTIVE-BLA 

	Platform(s):		windows
	Category:		trojan
	Classification:		System Integrity Success
	CVE		CAN-1999-0660
	Bugtraq		nomatch
	advICE		nomatch

Summary

This event indicates that a known trojan may be operating on the host. This is not a scan or probe, but a successful connection. 

How Specific

This event is specific to a particular exploit, but the packet payload is not considered as part of the signature to detect the attack.  

Trusting The Source IP Address

The packet that caused this event is normally a part of an established TCP session, indicating that the source IP address has not been spoofed. If you are using a firewall that supports stateful inspection, and are not vulnerable to sequence number prediction attacks, then you can be fairly certain that the source IP address of the event is accurate. It has been noted that the intruder is likely to expect or desire a response to their packets, so it may be likely that the source IP address is not spoofed.  

False Positives

There are reported incidents where legitimate traffic may cause an intrusion detection system to raise "false positive" alerts for this event. The following details have been reported: 
This signature matches the known default port of the trojan. It is possible that other server software could listen at the same port.