Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Detecting VNC, PCAnywhere etc.

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Sun, 5 Aug 2001 15:52:52 -0400
Hello,

A popular method used by hackers after compromising a host on your network
is to make some type of connection back out to the Internet to gather tools
(usually a FTP, TFTP, VNC, PCAW, Telnet connection etc). I would like to be
able to detect this type of attempt.

I tried this using a rule to detect when certain destination ports (i.e.
5631 for PCAnywhere) are accessed, but there is one problem with this. Since
machines connect to our web site with a random source port (i.e. 5631 which
is used by PCAnywhere), our web server replies with that source port as the
destination port in message going back. This triggers a false positive when
it sees 5631 as the destination port for example.

Is anyone out there checking for this type of traffic on their network, and
if so, can you recommend a good rule?

Thanks,
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: