Re: alert questions

[Jim Forster <jforster () rapidnet com>]

I've set up 2 Win boxes at home for just this type testing...  I'll
kick up BO 1.0 and 1.1. tonight and rewrite and/or verify this one.
I've got all the SubSeven revisions I can track down for testing as
well - Sure seeing a LOT of probes across our network for it lately.

On Fri, 14 Dec 2001 11:35:27 -0500, Matt Kettler wrote:
> So that everyone doesn't have to go greping their rule files for
> "sid:112"
> this is a content-based rule for back orifice access detection..
>
> backdoor.rules:alert tcp $HOME_NET 80 -> $EXTERNAL_NET any
> (msg:"BACKDOOR
> BackOrifice access"; flags: A+; content: "server|3a| BO|2f|";
> reference:arachnids,400; sid:112;  classtype:misc-activity; rev:3;)
>
> I'm no expert, but at casual glance and brief thought I'd be a
> little a
> little surprised if this triggered and it was a false alarm, that
> strikes
> me as a very abnormal sequence, even for a binary to contain
> (although it
> is possible).
>
> That said, I've never had the rule trigger at all (snorting a T1
> with
> roughly 50<n<100 office users for about 9 months now).
>
>
> At 11:20 PM 12/13/2001 -0500, Brian wrote:
> > Have any of you seen sid:112 trigger and it was not a false alarm?
> > If
> > so, please email me.  The only reference to this sid is that it is
> > one
> > of the original Ron Gula dragon sigs that Max converted.
> >
> > --
> > After I'm dead I'd rather have people ask why I have no monument
> > than
> > why I have one.  -- Cato the Elder

--
Jim Forster, jforster () rapidnet com on 12/14/2001



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users