[Snort-sigs] Reference for 1985.1 (BACKDOOR Doly 1.5 server response)?

nnposter at ...592... nnposter at ...592...
Mon Jun 7 15:10:05 EDT 2004


Could the snort signature masters be so kind and provide a reference that
explains why SID 1985.1 is defined the way it is? I was able to find a few
fairly good descriptions, including the ones referenced in
doc/signatures/1985.txt, but they all concur on a substantially different
description than the Snort rule would suggest. In particular, it looks
like the trojan is listening on 1015/tcp and there is no restriction on
the client port.

http://www.hackfix.org/miscfix/doly.shtml
http://www.dark-e.com/archive/trojans/doly/150/index.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_DOLY15.B&VSect=T

It seems to me that the correct signature would be:

alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any 
(msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; 
content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;)


TIA,
nnposter




More information about the Snort-sigs mailing list