[Snort-sigs] Remote Shell Trojan signature

Matt Kettler mkettler at ...189...
Tue Jul 15 10:20:21 EDT 2003

At 04:29 PM 7/15/2003 +0300, Jukka Juslin wrote:
>Could somebody help to evaluate this filter, I put together:
>  alert udp any -> any 4369 (msg:"Remote Shell Trojan";
>  flow:to_server,established; content:"DOM";reference:bugtraq,1234;
>  classtype:attempted-user; sid:1234;  rev:1;)
>Might be a stupid question, but can I invent sid from some pre-release
>number range?

You can invent SID's for testing/local uses as any number over 1,000,000 
(one million). 

More information about the Snort-sigs mailing list