[Snort-sigs] My first attempt in writing snortrules: SubSeven Gold 2.1 Sig

counter.spy at ...52... counter.spy at ...52...
Wed Mar 27 21:31:05 EST 2002


Hello again,

Robert Wagnet wrote:
>I haven't tested it, just wanted to alert you to the possibility.  The port
>was left to any, so you could catch http, telnet, mail, snmp, vnc, dns, and
>a variety of other text based traffic.  Obviously, subseven can be setup to
>any port so I an not sure if I am being helpful.  I was hoping there might
>be something more specific in the initial handshake between client and
>server.  Just some ideas to help keep down the false positives.

Of course you were abslolutely right, assuming the sigs (at least the first
one) would trigger on the FTP command "print working directory" (pwd).

So the alternative would be using port specs and/or disable the first and
second rule, depending on your network environment. If your site does not use
protocols where the pwd command is used in clear text, the rules should not
produce any false positives.
I hope the "version 2.1" string (in hexcode, see below) does not produce
other problems ;)

For those who haven't read the whole thread here are my rules for Sub7 Gold
2.1 again:

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ 
content: "PWD"; offset: 0; depth: 10; nocase; \
classtype: misc-activity;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any \
msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \
content: "PWD"; offset: 0; depth: 10; nocase; \
classtype: misc-activity;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ 
content: "|76 65 72 73 69 6f 6e 3a 20 32 2e 31|"; \
offset: 40; depth: 40; nocase; classtype: misc-activity;)

Anyone having a better rule for this particular sub7 version is very welcome
:)

Bye,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list