Snort mailing list archives
Re: alert questions
From: Jim Forster <jforster () rapidnet com>
Date: Fri, 14 Dec 2001 09:48:13 -0700
I've set up 2 Win boxes at home for just this type testing... I'll kick up BO 1.0 and 1.1. tonight and rewrite and/or verify this one. I've got all the SubSeven revisions I can track down for testing as well - Sure seeing a LOT of probes across our network for it lately. On Fri, 14 Dec 2001 11:35:27 -0500, Matt Kettler wrote:
So that everyone doesn't have to go greping their rule files for "sid:112" this is a content-based rule for back orifice access detection.. backdoor.rules:alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112; classtype:misc-activity; rev:3;) I'm no expert, but at casual glance and brief thought I'd be a little a little surprised if this triggered and it was a false alarm, that strikes me as a very abnormal sequence, even for a binary to contain (although it is possible). That said, I've never had the rule trigger at all (snorting a T1 with roughly 50<n<100 office users for about 9 months now). At 11:20 PM 12/13/2001 -0500, Brian wrote:Have any of you seen sid:112 trigger and it was not a false alarm? If so, please email me. The only reference to this sid is that it is one of the original Ron Gula dragon sigs that Max converted. -- After I'm dead I'd rather have people ask why I have no monument than why I have one. -- Cato the Elder
-- Jim Forster, jforster () rapidnet com on 12/14/2001 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert questions Brian (Dec 14)
- Re: alert questions Matt Kettler (Dec 14)
- Re: alert questions Jim Forster (Dec 14)