[Snort-sigs] Sinit rule anyone?
jstewart at ...5...
Thu Dec 11 10:08:05 EST 2003
On Tuesday 09 December 2003 4:37 pm, Matt Kettler wrote:
> The UDP mode is a bit trickier to do without FPs just based on the
> limited information on that website.
> They state that it's udp/53 but also does udp/<somehighport>. Packets
> start with a 0x01-0x06 byte, followed by up to 511 more bytes.
> Unfortunately the first two bytes of a DNS request are the ID field.
> This field should be random, thus can be anything for legitimate DNS
> traffic, including 0x01-0x06.
Here are some rules to detect when infected clients share files. There
should be low to no false positives with these when looking at port 53.
Sinit can also transfer files over the high-numbered udp port, but
false positives could go up if you want to look at all UDP traffic with
these. Most of the time it uses port 53, so I personally would leave
the rules as is.
alert udp any any -> any 53 (msg:"Backdoor.Sinit P2P File Send";
content:"|03|"; depth:1; content:"|3f 4d 5a|"; offset:480; dsize:512;
alert udp any any -> any 53 (msg:"Backdoor.Sinit P2P File Received";
content:"|02 ff ff ff 00 00 00 00|"; dsize:8;
Joe Stewart, GCIH
Senior Security Researcher
More information about the Snort-sigs