[Snort-sigs] Effective rule for bots
pauls at ...1311...
Tue Apr 19 09:17:53 EDT 2005
I've been using this rule for a few weeks and it's working quite well to
catch boxes infected with SDBot and other backdoors. Thought I'd share it.
alert tcp $HOME_NET any -> any 445 (msg: "ALERT!!! Excessive Port 445
traffic!!!"; flags:S; threshold: type both, track by_src, count 500,
seconds 60; classtype:trojan-activity; sid: 10000006; rev: 2;)
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-sigs