[Snort-sigs] Rule for Sebek2 Traffic

Andrew Hintz (Drew) drew at ...486...
Thu Apr 10 17:38:03 EDT 2003


Here's a quick rule that picks up Sebek2 traffic.  Sebek2 is a backdoor that
is intended to be used to monitor Linux honeypots.  However it could of
course have plenty of other malicious uses.

### Sebek2 Detection Rule ###

# you can set this to 'any' and still get a low # of false positives
var SEBEK_PORTS 1101

# TTL is configurable, but 1 by default
# TOS of 13 is hardcoded into the source
# the sebek packet ID is 4 bytes, so dsize is > 4

# you'll get an alert on *every* sebek packet.  If you only want to
# get one for every 256 sebek packets (roughly every 85 keystrokes), add
# the following three lines:
# content: "|00|"; \
# offset:3; \
# depth:1; \

alert udp any $SEBEK_PORTS -> any $SEBEK_PORTS (msg:"Sebek2 traffic"; \
ttl:1; \
tos:13; \
dsize:>4; \
reference:url,project.honeynet.org/papers/honeynet/tools/; \
classtype:policy-violation; sid:1000000; rev:1;)

#EOF

--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--





More information about the Snort-sigs mailing list