[Snort-sigs] SubSeven Sigs

counter.spy at ...52... counter.spy at ...52...
Tue Mar 12 13:29:01 EST 2002


Hi!
I am new on this list and I would like to know if someone knows where to
find an up-to-date signature for SubSeven, because I have found that snort does
not detect Sub7 Gold.
Here are the signatures I have found in the Snort backdoors.rules from the
current rules set:

alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22";
flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity;
rev:4;)

alert tcp $EXTERNAL_NET 16959 -> $HOME_NET any (msg:"BACKDOOR subseven
DEFCON8 2.1 access"; content: "PWD"; content:"acidphreak"; nocase; flags: A+;
sid:107;  classtype:misc-activity; rev:4;)

In order to be able to detect Sub7, I have stripped down the first rule to
match on SYN to port 27374 solely, which is not my idea of a great signature
because you can configure Sub7 to connect on any port you like.

Can somebody give me a clue on how to find  unique patterns in  packets?
Are there any tools that help finding such patterns automatically from,
let's say, comparing unique traffic with mixed traffic?
This is my first try on writing a sig, you must know.

Thanks for your help!

Greetings,
D.Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list