[Snort-sigs] Netcat telnet attack signature

Matt Kettler mkettler at ...189...
Thu Sep 11 11:23:15 EDT 2003


At 02:52 PM 9/10/2003 -0400, Graham, Jeffery A. MAJ - G6 wrote:

>Alert tcp $TELNET_SERVERS any -> any any (msg:TELNET Netcat Remote Shell 
>Exploit"; flow:from_server,established; content:"|5c 77 69 63|";

1) That 63 is a typo.. should be a 6e.. you've got it right later in the 
message, but this one looks for "\wic"
2) Why do the signature in hex? "\win" is much clearer, and can be done on 
a nocase basis. And given window's lack of case sensitivity \WINDOWS is the 
same as \windows.




>alert tcp $TELNET_SERVERS any -> $HOME_NET any (msg:"TELNET Netcat shell 
>exploit"; flow:from_server,established; content:"|3e|"; 
>reference:http://www.atstake.com/research/tools/network_utilities/nc11nt.txt;classtype:shellcode-detect;rev:1;)

You are detecting a ">" from a telnet server as a sign of exploit? Ouch 
dude. Any time anyone does a file redirection that's going to fire off. Or 
do you not do things like:
         grep "10\.1\.2\.1" snort.log > alertsfrom_10.1.2.1





More information about the Snort-sigs mailing list