[Snort-sigs] Sinit rule anyone?

Joe Stewart jstewart at ...5...
Thu Dec 11 10:08:05 EST 2003

On Tuesday 09 December 2003 4:37 pm, Matt Kettler wrote:
> The UDP mode is a bit trickier to do without FPs just based on the
> limited information on that website.
> They state that it's udp/53 but also does udp/<somehighport>. Packets
> start with a 0x01-0x06 byte, followed by up to 511 more bytes.
> Unfortunately the first two bytes of a DNS request are the ID field.
> This field should be random, thus can be anything for legitimate DNS
> traffic, including 0x01-0x06.

Here are some rules to detect when infected clients share files. There 
should be low to no false positives with these when looking at port 53. 
Sinit can also transfer files over the high-numbered udp port, but 
false positives could go up if you want to look at all UDP traffic with 
these. Most of the time it uses port 53, so I personally would leave 
the rules as is.

alert udp any any -> any 53 (msg:"Backdoor.Sinit P2P File Send"; 
content:"|03|"; depth:1; content:"|3f 4d 5a|"; offset:480; dsize:512; 
reference:url,www.lurhq.com/sinit.html; classtype:trojan-activity; 
sid:1000061; rev:1;)

alert udp any any -> any 53 (msg:"Backdoor.Sinit P2P File Received"; 
content:"|02 ff ff ff 00 00 00 00|"; dsize:8; 
reference:url,www.lurhq.com/sinit.html; classtype:trojan-activity; 
sid:1000062; rev:1;)


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list