[Snort-sigs] INETD backdoor signature (sh -i)

Jason Haar Jason.Haar at ...651...
Sun Jun 30 19:07:03 EDT 2002


On Sun, Jun 30, 2002 at 02:24:17PM -0700, Bill McCarty wrote:

> mitigate the overhead that much. Granted, the flow facility could eliminate 
> traffic flowing to a server as part of an established connection. So, only 
> traffic flowing from the server would be inspected. But, I think that many 
> networks sustain more traffic flowing from external servers than to them. 
> In that case, the savings wouldn't be all that great.

I think flows allows you to distinguish between YOU donwloading the latest
Redhat ISO image (full of shellcodes) and someone connecting to *YOU* and
sending shellcodes. 

i.e. you want to ignore the former and alert on the latter.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list