Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: why no alert for netbus backdoor ?

From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Tue, 26 Nov 2002 12:24:20 +0100
Hi,


i make sure the rule for netbus backdoor was added to snort.
many thanks.


# grep -i netbus *
backdoor.rules:alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any
(msg:"BACKDOOR netbus active"; flow:from_server,established;
content:"NetBus"; reference:arachnids,401; classtype:misc-activity;
sid:109; rev:3;)
backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12345
(msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|";
reference:arachnids,403; sid:110;  classtype:misc-activity; rev:3;)
backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12346
(msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|";
reference:arachnids,403; sid:111;  classtype:misc-activity; rev:3;)
backdoor.rules:alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any
(msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";
reference:arachnids,401; sid:114;  classtype:misc-activity; rev:3;)
backdoor.rules:alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any
(msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";
reference:arachnids,401; sid:115;  classtype:misc-activity; rev:3;)

There are netbus rules in snort. The reason why you didn't get an alert
is, that all of the rules do content-checking. See the
"content:"-options in the rules.

Even if you try it with real netbus client/server, snort might not alert
on the packets, because (when you use the default snort.conf)
backdoor.rules are not enabled by default.

HTH,
        Jens


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: