Snort mailing list archives
Re: BACKDOOR QAZ Worm Client Login access?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 20 May 2004 19:06:12 -0400
At 02:57 PM 5/20/2004, sart () trialgraphix com wrote:
The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access." I have the sensor on a port mirroring all traffic to the DMZ. The Source address in the "SID 108" alert is the internal address of our SMTP server, and the Destination is 192.6.1.3. The Payload is [length = 5, 000 : 00 00 00 00 45]
That sounds more like a bug in your version of snort.That packet should definitely not match that rule. The rule is looking for a 10-byte hex sequence in the payload, and 00 isn't in it. ( 71 61 7a 77 73 78 2e 68 73 71).
Was the port on the destination even correct? (port 7597) ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BACKDOOR QAZ Worm Client Login access? False positive? sart (May 20)
- Message not available
- Re: BACKDOOR QAZ Worm Client Login access? Matt Kettler (May 20)
- Re: BACKDOOR QAZ Worm Client Login access? sart (May 21)
- Re: BACKDOOR QAZ Worm Client Login access? Matt Kettler (May 20)
- Message not available