[Snort-sigs] Jacked netmetro rule

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Wed Apr 17 09:10:56 EDT 2002


I know it's commented out, but it could actually be useful... If rewritten:

Original:
alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro
Incoming Traffic"; flags: A+;  reference:arachnids,79; cla
sstype:misc-activity; sid:160; rev:2;)

Rewritten:
alert tcp $EXTERNAL_NET 5031 -> $HOME_NET 1024: (msg:"BACKDOOR NetMetro
Incoming Traffic"; flags: SA;  reference:arachnids,79;
classtype:misc-activity; sid:160; rev:3;)




More information about the Snort-sigs mailing list