[Snort-sigs] Root kit and "hackers defender" detection

Tony Johansson tony.johansson at ...1237...
Tue Jan 28 06:47:14 EST 2003


Regarding a recent discussion on ntbugtraq about the detection and
characteristics of a root kit which seems to be a modified variant of
"hackers defender" (http://rootkit.host.sk/), I decided to try and see if
snort would detect it.

I downloaded the latest version of "hackers defender" and installed it on a
test machine. It works perfectly, answering on all open tcp ports (scary...)

I then hooked up snort (or more specifically puresecure) and configured it.
I downloaded all the latest rules and enabled them all. It detects port
scans and web cmd.exe attacks (http://machine/../../..cmd.exe ) but I am
still able to connect to the back door over TCP 80 with no alert from snort.

I'm pretty new to snort and havent worked much with sigs. However, I should
think that this would be something that people would want to detect?

regards, Tony

More information about the Snort-sigs mailing list