[Snort-sigs] Reference for 1985.1 (BACKDOOR Doly 1.5 server response)?

nnposter at ...592... nnposter at ...592...
Mon Jun 7 15:10:05 EDT 2004

Could the snort signature masters be so kind and provide a reference that
explains why SID 1985.1 is defined the way it is? I was able to find a few
fairly good descriptions, including the ones referenced in
doc/signatures/1985.txt, but they all concur on a substantially different
description than the Snort rule would suggest. In particular, it looks
like the trojan is listening on 1015/tcp and there is no restriction on
the client port.


It seems to me that the correct signature would be:

alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any 
(msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; 
content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;)


More information about the Snort-sigs mailing list