[Snort-sigs] SID 113
nigel at ...435...
Wed Sep 24 05:59:05 EDT 2003
This rule is in deleted.rules, documentation for it is also in the deleted
docs pile :) This is true for all the remaining Trojan rules listed in the
needed section of snort.org.
Thanks for taking the time to deal with it though.
Our collective efforts to document the rules is going very well. The
documented rule pile is now 200 docs larger than the non-documented ones.
Many of the non-documented rules listed at snort.org appear to be in
deleted.rules, if you are working on documenting rules please check to
make sure the rule hasn't been deleted.
Most of the outstanding documents are in the web-* categories, so if
anyone feels like getting themselves a shiny new Snort(tm) T-Shirt that
would be a good place to start.
Huge thanks to all who have contributed their time to producing some
informative documentation so far. For anyone thinking about plunging in
and writing, please take a look at te guidelines and remember that all
the work must be original. Feel free to look at the existing docs for
referance also, so you can see how the information is laid out and
Thanks again to everyone.
Around 12:07am Muhammad Faisal Rauf Danka said:
MFRD :# This is a template for submitting snort signature descriptions to
MFRD :# the snort.org website
MFRD :# Ensure that your descriptions are your own
MFRD :# and not the work of others. References in the rules themselves
MFRD :# should be used for linking to other's work.
MFRD :# If you are unsure of some part of a rule, use that as a commentary
MFRD :# and someone else perhaps will be able to fix it.
MFRD :# $Id$
MFRD :special note:
MFRD :the rule have a typo probably, the source port should be 2140 instead of 4120 according to pertaining arachnids,405 , The rule mentioned below is fixed.
MFRD :alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113; classtype:misc-activity; rev:5;)
MFRD :This alert is due to possibility of an active DeepThroat Trojan/Backdoor.
MFRD :Possible control over the target machine, theft of data, misuse of resources, installation of malware possibility, thus providing maximum control to the malicious attacker.
MFRD :Detailed Information:
MFRD :This is a typical trojan activity, Windows based Operating systems are affected.
MFRD :Update Antivirus and Trojan Cleaning utilities must be engaged to eradicate it's presence.
MFRD :Affected Systems:
MFRD :Windows based operating systems.
MFRD :Attack Scenarios:
MFRD :As commonly, the trojan maybe delivered in form of a Win32 executable, via email or other means of online file transfers, such as Instant Messengers and chat rooms.
MFRD :Ease of Attack:
MFRD :Easily available trojan. Intuitive in nature, very easy to use trojan. Updated Antiviruses are essential to prevent and / or get rid of infection.
MFRD :False Positives:
MFRD :None known
MFRD :False Negatives:
MFRD :None known
MFRD :Corrective Action:
MFRD :Update antivirus, and engage trojan cleaning utilities, to disinfect from this trojan.
MFRD :Muhammad Faisal Rauf Danka <mfrd at ...1354...>
Nigel Houghton Security Research Engineer Sourcefire Inc.
Vulnerability Research Team
"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister
Message dated: Sep 24
More information about the Snort-sigs