Snort mailing list archives
Re: Reverse Telnet
From: Matt Kettler <mkettler () EVI-INC COM>
Date: Thu, 21 Aug 2003 10:13:10 -0400
At 04:25 PM 8/20/2003 -0700, Mike Koponick wrote:
Im looking for a signature for reverse telnet type applications. The scenario is that if someone were to put an application on a PC or ?? on an internal segment, it will use port 80 or whatever port is available to connect to a server located outside the network.
"reverse telnet" is really more of a conceptual idea than anything else. As such, there's not going to be much of a sensible signature to give here. Offhand I can't name any "reverse telnet" tools, but I could write a dozen different varieties in an evening, all with different signatures. They'd probably not be very good, but they'd do the job.
If you had a specific tool in mind, someone could write a signature for it, but there's no "common behavior" that would let you write a general signature for it. You might as well be asking for a general signature for backdoor type applications.
(technically, reverse-tenets are a kind of backdoor, but there's as many possibilities for signatures as there are for forward-connecting backdoors. The network traffic profile can be made to look like anything.)
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reverse Telnet Mike Koponick (Aug 21)
- <Possible follow-ups>
- Re: Reverse Telnet Matt Kettler (Aug 21)