Re: Reverse Telnet

[Matt Kettler <mkettler () EVI-INC COM>]

At 04:25 PM 8/20/2003 -0700, Mike Koponick wrote:
> Im looking for a signature for reverse telnet type applications. The 
> scenario is that if someone were to put an application on a PC or ?? on an 
> internal segment, it will use port 80 or whatever port is available to 
> connect to a server located outside the network.

"reverse telnet" is really more of a conceptual idea than anything else. As 
such, there's not going to be much of a sensible signature to give here. 
Offhand I can't name any "reverse telnet" tools, but I could write a dozen 
different varieties in an evening, all with different signatures. They'd 
probably not be very good, but they'd do the job.

If you had a specific tool in mind, someone could write a signature for it, 
but there's no "common behavior" that would let you write a general 
signature for it. You might as well be asking for a general signature for 
backdoor type applications.

 (technically, reverse-tenets are a kind of backdoor, but there's as many 
possibilities for signatures as there are for forward-connecting backdoors. 
The network traffic profile can be made to look like anything.)







-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users