[Snort-sigs] Netcat telnet attack signature
mkettler at ...189...
Thu Sep 11 11:23:15 EDT 2003
At 02:52 PM 9/10/2003 -0400, Graham, Jeffery A. MAJ - G6 wrote:
>Alert tcp $TELNET_SERVERS any -> any any (msg:TELNET Netcat Remote Shell
>Exploit"; flow:from_server,established; content:"|5c 77 69 63|";
1) That 63 is a typo.. should be a 6e.. you've got it right later in the
message, but this one looks for "\wic"
2) Why do the signature in hex? "\win" is much clearer, and can be done on
a nocase basis. And given window's lack of case sensitivity \WINDOWS is the
same as \windows.
>alert tcp $TELNET_SERVERS any -> $HOME_NET any (msg:"TELNET Netcat shell
>exploit"; flow:from_server,established; content:"|3e|";
You are detecting a ">" from a telnet server as a sign of exploit? Ouch
dude. Any time anyone does a file redirection that's going to fire off. Or
do you not do things like:
grep "10\.1\.2\.1" snort.log > alertsfrom_10.1.2.1
More information about the Snort-sigs