[Snort-sigs] Updated Sub7 v2.2 rules

Starbuck Newton starbuck at ...595...
Sun May 19 11:32:02 EDT 2002


Greetings,

Over the last several days I've been doing some black boxing and simple
packet analysis of the Sub7 v2.2 backdoor. The program was originally
obtained from subseven.de. The "official" site is not accessible at this
time. 

Snort 1.8.6 on Sparc/Solaris 8 platform never detected any suspicious
traffic. Packet captures were reviewed and it seems that the string used
in the current ruleset: "<CR><LF>[RPL]002<CR><LF>" never appeared. 

Attached are three rules to detect Sub7 v2.2 activity on its default
port (27374) and the "transfer port" (5873) the victim server opens to
the attacker to transfer data. The third rule just detects a connection
attempt/probe. (I didn't know how to write a snort rule 48 hours ago.
Any pointers/advice would be welcome.) These rules have tested
successfully on Snort builds 1.8.3 & 1.8.6. Also attached is the libpcap
dump that served as the basis for developing the rules.

Cheers,
Starbuck Newton


-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sub7Session.pcap
Type: application/octet-stream
Size: 4921 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020519/bf4f90cf/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sub7FileTransferActiveRule.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020519/bf4f90cf/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sub7ProbeRule.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020519/bf4f90cf/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sub7ActiveRule.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020519/bf4f90cf/attachment-0002.txt>


More information about the Snort-sigs mailing list