[Snort-sigs] SubSeven DEFCON8 2.1 alerts.

Joseph Nicholas Yarbrough nyarbrough at ...5...
Wed Oct 11 08:41:46 EDT 2000


**WARNING** These are untested signatures that are expected to work. Test these signatures before deployment.

Ok, here are snort signatures to catch "SubSeven DEFCON8 2.1" access and attempts for public use.
They are arranged from top to bottom in order of least to most false positives.
Again, we dont have a system to install trojans on yet, so we are releasing these without propper testing.
We would be happy to know of success or failure of these signatures to function.

Thanks,
Nick

-- 
Joseph Nicholas Yarbrough
Network Security Analyst
LURHQ Corporation
==========================>
nyarbrough at ...5...


##BEGIN LURHQCORP SNORT SIGNATURES
##author nyarbrough at ...5...
#HOME_NET displaying PWD when attacking host connects to SubSeven DEFCON8 2.1 on port 16959
alert tcp $HOME_NET 16959 -> any any: (msg: "SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD";)

#any host displaying PWD when any attacking host connects to SubSeven DEFCON8 2.1 on port 16959
alert tcp any 16959 -> any any: (msg: "SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD";)

#!HOME_NET connecting to SubSeven DEFCON8 2.1 default port on HOME_NET
alert tcp !$HOME_NET any -> $HOME_NET 16959: (msg: "SubSeven DEFCON8 2.1 Backdoor Attempt";)

#any host connection to any SubSeven DEFCON8 2.1 default port on any system
alert tcp any any -> any 16959: (msg: "SubSeven DEFCON8 2.1 Backdoor Attempt";)




More information about the Snort-sigs mailing list