RE: Q-ICMP rule/IDS202

["Wirth, Jeff" <WirthJe () DNB com>]

Mike, 

> Does anyone have any information about the Q-icmp rule listed 
> as IDS202?

whitehats appears to be up at the moment:
http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids202&view=research

If it goes down before you get this message..;-)

> From whitehats.com:

 Summary  
 
This indicates an attempt to send a command to a compromised Q server. Q is
a backdoor that allows an attacker to run commands remotely as root, among
other functions.  

 How Specific  
 
This event is specific to a particular exploit, but the packet payload is
not considered as part of the signature to detect the attack.   

 Trusting The Source IP Address  
 
Since this event was caused by a ICMP packet, the source IP address could be
easily forged. It has been noted that the intruder is likely to expect or
desire a response to their packets, so it may be likely that the source IP
address is not spoofed.   


cve entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660


- Jeff


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users