Snort mailing list archives
Re: why no alert for netbus backdoor ?
From: Jens Krabbenhoeft <tschenz-snort-users () noris net>
Date: Tue, 26 Nov 2002 12:24:20 +0100
Hi,
i make sure the rule for netbus backdoor was added to snort. many thanks.
# grep -i netbus * backdoor.rules:alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:110; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:111; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:114; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:115; classtype:misc-activity; rev:3;) There are netbus rules in snort. The reason why you didn't get an alert is, that all of the rules do content-checking. See the "content:"-options in the rules. Even if you try it with real netbus client/server, snort might not alert on the packets, because (when you use the default snort.conf) backdoor.rules are not enabled by default. HTH, Jens ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- why no alert for netbus backdoor ? Wang,Fei (Nov 26)
- Re: why no alert for netbus backdoor ? Jens Krabbenhoeft (Nov 26)