Snort mailing list archives

Re: alert questions


From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 14 Dec 2001 11:35:27 -0500

So that everyone doesn't have to go greping their rule files for "sid:112" this is a content-based rule for back orifice access detection..

backdoor.rules:alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112; classtype:misc-activity; rev:3;)

I'm no expert, but at casual glance and brief thought I'd be a little a little surprised if this triggered and it was a false alarm, that strikes me as a very abnormal sequence, even for a binary to contain (although it is possible).

That said, I've never had the rule trigger at all (snorting a T1 with roughly 50<n<100 office users for about 9 months now).


At 11:20 PM 12/13/2001 -0500, Brian wrote:
Have any of you seen sid:112 trigger and it was not a false alarm?  If
so, please email me.  The only reference to this sid is that it is one
of the original Ron Gula dragon sigs that Max converted.

--
After I'm dead I'd rather have people ask why I have no monument than
why I have one.  -- Cato the Elder


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: