[Snort-sigs] Effective rule for bots

Paul Schmehl pauls at ...1311...
Tue Apr 19 09:17:53 EDT 2005

I've been using this rule for a few weeks and it's working quite well to 
catch boxes infected with SDBot and other backdoors.  Thought I'd share it.

alert tcp $HOME_NET any -> any 445 (msg: "ALERT!!! Excessive Port 445 
traffic!!!"; flags:S; threshold: type both, track by_src, count 500, 
seconds 60; classtype:trojan-activity; sid: 10000006; rev: 2;)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list