Snort mailing list archives

Re: RST.B / EGP

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 8 Jan 2002 09:54:51 -0700 (MST)

It looks like I was incorrect about RST.b using EGP.  Qualys has done some
research on it, and it looks like it responds to UDP packets after all.
My confusion is because it specifically allocates an EGP socket, but then
goes into promiscuous mode, so I guess that doesn't matter.  However,
there are some particular packet characteristics one could look for.  Keep
an eye out for some more information about RST.b over the next couple of
days.

                                        Ryan

On Tue, 8 Jan 2002, Ian Cudlip wrote:

Hello All,

Has anyone looked into RST.b trojan.. I was considering tracking EGP (proto
8) to identify infected machines, also, does anyone have any signatures?

Ian.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Diff'ing rulesets Lars Jørgensen IT (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)
  - Re: RST.B / EGP Ryan Russell (Jan 08)
- Re: Diff'ing rulesets Wolfgang Rohdewald (Jan 08)
  - My ruleset differ/merg0r :-) Edwin Eefting (Jan 08)
- RE: Diff'ing rulesets Andy Wood (Jan 08)
  - Re: Diff'ing rulesets Chr. v. Stuckrad (Jan 08)