Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BACKDOOR QAZ Worm Client Login access?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 20 May 2004 19:06:12 -0400
At 02:57 PM 5/20/2004, sart () trialgraphix com wrote:

The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access."
I have the sensor on a port mirroring all traffic to the DMZ.
The Source address in the "SID 108" alert is the internal address of our
SMTP server, and the Destination is 192.6.1.3.
The Payload is [length = 5, 000 : 00 00 00 00 45]


That sounds more like a bug in your version of snort.
That packet should definitely not match that rule. The rule is looking for a 10-byte hex sequence in the payload, and 00 isn't in it. ( 71 61 7a 77 73 78 2e 68 73 71). 

Was the port on the destination even correct? (port 7597)





-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: