[Snort-sigs] Remote Shell Trojan signature

Jukka Juslin jtjuslin at ...1151...
Tue Jul 15 06:31:11 EDT 2003


Hi,

Could somebody help to evaluate this filter, I put together:

 alert udp any -> any 4369 (msg:"Remote Shell Trojan";
 flow:to_server,established; content:"DOM";reference:bugtraq,1234;
 classtype:attempted-user; sid:1234;  rev:1;)

Might be a stupid question, but can I invent sid from some pre-release
number range?

Just decided to share this now, although needs some work.

Thanks for any help and comments,
Jukka





More information about the Snort-sigs mailing list