[Snort-sigs] Missing classification and some new rules

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Aug 5 08:55:04 EDT 2002

SID: 1838

One of my coworkers (Matt Jonkman) has created 3 signatures to capture
the installation of Dameware and the client connection attempt to
dameware (of course, connection entails only looking for a syn packet,
but evidence shows it to have no false positives so far).  Since
dameware can be installed to listen on different ports, I think I will
likely make a connection rule to match for a content pattern that dame
sends on connect.  For 99% of the world, my bet is the following rules
will be good enough.

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Dameware Service
Install"; content:"D|00|W|00|R|00|C|00|K"; flow:to_server,established;
classtype:misc-attack; sid:<sid>; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Dameware Remote
Control Service Install"; content:"DWRCK.DLL"; nocase;
flow:to_server,established; classtype:successful-admin; sid:<sid>;

alert tcp $EXTERNAL_NET any -> $HOME_NET 6129 (msg:"Dameware Remote
Control Attempt"; flags:S; flow:to_server; classtype:attempted-admin;
sid:<sid>; rev:1;) 

More information about the Snort-sigs mailing list