[Snort-sigs] Question about sid:159

Paul Schmehl pauls at ...1311...
Wed Jun 15 14:40:40 EDT 2005


This is the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File 
List"; flow:to_server,established; content:"--"; reference:arachnids,79; 
classtype:misc-activity; sid:159; rev:6;)

The online writeup for the rule is here:
<http://www.snort.org/pub-bin/sigs.cgi?sid=159>

It reads, in part, "The server portion opens TCP port 5031 by default to 
establish a connection between client and server."

Antionline lists the default NetMetro port as 5031:
<http://www.antionline.com/printthread.php?threadid=130966>

Dark-e, which has the trojan available for download in two version (1.0.0 
and 1.0.4), lists the default port as 5031 and states that the port cannot 
be changed:
<http://www.dark-e.com/archive/trojans/NetMetro/index.html>

Unfortunately, I can't get to whitehats.com right now, but I'm certain it 
would also list the default port as 5031.

Looks to me like the rule is wrong.  It should read:
alert tcp $EXTERNAL_NET any -> $HOME_NET 5031 (msg:"BACKDOOR NetMetro File 
List"; flow:to_server,established; content:"--"; reference:arachnids,79; 
classtype:misc-activity; sid:159; rev:7;)

Correct?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list