[Snort-sigs] About the connection in the alert of BackDoor
snortmaillist at ...2420...
Mon Jan 7 01:08:20 EST 2008
Happy new year!
I'm analysing the role of the participants in an alert. I found
there is some difficult in analysing the alerts in class of BACKDOOR.
There are commonly a word 'connection' in the alert names, but it may
means the attacker connecting to the victim sometime and means the
victim connecting the attacker sometime.
I first suppose the snort are protecting the home net, so the
participant in the home net would be the victim. However, I found some
For example, for the alert 'BACKDOOR FsSniffer connection attempt',
its rule is :
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer
connection attempt"; flow:to_server,established; content:"RemoteNC
Control Password|3A|"; reference:nessus,11854;
classtype:trojan-activity; sid:2271; rev:2;)
The flow: to_server seems indicating that an attacker in the homenet
are connecting a external victim.
So, should I judge the roles by the flow option? Is the flow option
accurate enough to support my analysis? I seems to have seen some
inconsistent case about the flow option.
By the way, an another related case is the alert 'WEB-CLIENT Outlook
EML access'. For the alert, who is the attacker and who is the victim?
Thank you very much!
More information about the Snort-sigs