[Snort-sigs] My first attempt in writing snortrules: SubSeven Gold 2.1 Sig

counter.spy at ...52... counter.spy at ...52...
Wed Mar 20 02:45:02 EST 2002


Hello,
I have noticed, that the SubSeven Rules in Backdoors.rules did not trigger
on
the SubSeven Version I tested in my testing environment.
This is a SubSeven Gold 2.1.
Note: 
This is my very first attempt in writing snort rules, so please don't laugh
to loud ;)

Any feedback on those rules and on writing good rule in general, are greatly
appreciated.
I have attached a brief description on how I came to those signatures (best
viewed in
Acrobat reader or gsview32).

Here are the actual rules that I have written. They are working good for me
and didn't 
produce any false positives on a productive network, yet.
If you find them useful, you may add them to the backdoors.rules.

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ 
content: "PWD"; offset: 0; depth: 10; nocase; \
classtype: misc-activity;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any \
msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \
content: "PWD"; offset: 0; depth: 10; nocase; \
classtype: misc-activity;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ 
content: "|76 65 72 73 69 6f 6e 3a 20 32 2e 31|"; \
offset: 40; depth: 40; nocase; classtype: misc-activity;)


Thanks again, for your feedback!
Greetings,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SubSeven_Signature_Development.pdf
Type: application/pdf
Size: 12513 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020320/e7c04ebc/attachment.pdf>


More information about the Snort-sigs mailing list