[Snort-sigs] INETD backdoor signature (sh -i)

Bill McCarty bmccarty at ...483...
Sun Jun 30 22:46:02 EDT 2002


Hi Jason,

The last attacker that compromised one of my honeypots installed the very 
INET backdoor in question. But, he did it via an outgoing connection. That 
is, the direction of flow was similar to that of downloading a Red Hat ISO. 
So, I'm still looking for the savings <grin>.

BTW, the datagram content tested by this rule isn't even as exotic as shell 
code. It's plain old ASCII text of the sort downloaded via wget or lynx. 
But, as you suggest, I do often get a crop of NOP false positives when a 
new Red Hat distribution is released <grin>.

Thanks for your thoughts!

Cheers,

--On Monday, July 01, 2002 2:06 PM +1200 Jason Haar 
<Jason.Haar at ...651...> wrote:

> On Sun, Jun 30, 2002 at 02:24:17PM -0700, Bill McCarty wrote:
>
>> mitigate the overhead that much. Granted, the flow facility could
>> eliminate  traffic flowing to a server as part of an established
>> connection. So, only  traffic flowing from the server would be
>> inspected. But, I think that many  networks sustain more traffic flowing
>> from external servers than to them.  In that case, the savings wouldn't
>> be all that great.
>
> I think flows allows you to distinguish between YOU donwloading the latest
> Redhat ISO image (full of shellcodes) and someone connecting to *YOU* and
> sending shellcodes.
>
> i.e. you want to ignore the former and alert on the latter.
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University




More information about the Snort-sigs mailing list