Snort mailing list archives
RE: Q-ICMP rule/IDS202
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Thu, 25 Apr 2002 13:28:41 -0400
Mike,
Does anyone have any information about the Q-icmp rule listed as IDS202?
whitehats appears to be up at the moment: http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids202&view=research If it goes down before you get this message..;-)
From whitehats.com:
Summary This indicates an attempt to send a command to a compromised Q server. Q is a backdoor that allows an attacker to run commands remotely as root, among other functions. How Specific This event is specific to a particular exploit, but the packet payload is not considered as part of the signature to detect the attack. Trusting The Source IP Address Since this event was caused by a ICMP packet, the source IP address could be easily forged. It has been noted that the intruder is likely to expect or desire a response to their packets, so it may be likely that the source IP address is not spoofed. cve entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660 - Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Q-ICMP rule/IDS202 mike (Apr 25)
- <Possible follow-ups>
- RE: Q-ICMP rule/IDS202 Wirth, Jeff (Apr 25)
- ACID bug with archiving Anton A. Chuvakin (Apr 25)