[Snort-sigs] Root kit and "hackers defender" detection
tony.johansson at ...1237...
Tue Jan 28 06:47:14 EST 2003
Regarding a recent discussion on ntbugtraq about the detection and
characteristics of a root kit which seems to be a modified variant of
"hackers defender" (http://rootkit.host.sk/), I decided to try and see if
snort would detect it.
I downloaded the latest version of "hackers defender" and installed it on a
test machine. It works perfectly, answering on all open tcp ports (scary...)
I then hooked up snort (or more specifically puresecure) and configured it.
I downloaded all the latest rules and enabled them all. It detects port
scans and web cmd.exe attacks (http://machine/../../..cmd.exe ) but I am
still able to connect to the back door over TCP 80 with no alert from snort.
I'm pretty new to snort and havent worked much with sigs. However, I should
think that this would be something that people would want to detect?
More information about the Snort-sigs