[Snort-sigs] INETD backdoor signature (sh -i)

Matt Kettler mkettler at ...189...
Fri Jun 28 12:05:05 EDT 2002

Aye, this should probably go in with some of the "causes so much load that 
they are disabled by default" rules, like the old shellcode ones used to be.

Doing an arbitrary depth match on any tcp packet with ack bit set sent to 
your HOME_NET might be reasonable on some small networks, but for those 
monitoring reasonable bandwidth networks this is going to be a very 
expensive rule to run.

Once flows are in this might be a much more reasonable rule, as you can set 
up the flow so it doesn't monitor every file you download from any external 
website, ftp server, mailserver, etc.

In the interim you might consider using SHELLCODE_PORTS instead of any.

At 11:12 AM 6/21/2002 +0600, Meder Baike wrote:
>hi, i didn't see this one in rules, so decided to write one:
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INETD backdoor 
>(interactive shell\: sh -i)"; \
>                                          flags: A+; content:"stream tcp 
> nowait root /bin/sh sh -i"; nocase; \
>                                           classtype:attempted-admin; 
> sid:1000001; rev:1;)
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list