[Snort-sigs] About the connection in the alert of BackDoor

Sun snortmaillist at ...2420...
Thu Jan 3 00:22:00 EST 2008

Hi all,

    Happy new year!

    I'm analysing the role of the participants in an alert. I found 
there is some difficult in analysing the alerts in class of BACKDOOR. 
There are commonly a word 'connection' in the alert names, but it may 
means the attacker connecting to the victim sometime and means the 
victim connecting the attacker sometime.

    I first suppose the snort are protecting the home net, so the 
participant in the home net would be the victim. However, I found some 
specical case.

    For example, for the alert 'BACKDOOR FsSniffer connection attempt', 
its rule is :

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer 
connection attempt"; flow:to_server,established; content:"RemoteNC 
Control Password|3A|"; reference:nessus,11854; 
classtype:trojan-activity; sid:2271; rev:2;)

    The flow: to_server seems indicating that an attacker in the homenet 
are connecting a external victim.

    So, should I judge the roles by the flow option? Is the flow option 
accurate enough to support my analysis? I seems to have seen some 
inconsistent case about the flow option.

    By the way, an another related case is the alert 'WEB-CLIENT Outlook 
EML access'. For the alert, who is the attacker and who is the victim?

    Thank you very much!

    Best regards!



More information about the Snort-sigs mailing list