[Snort-sigs] About the connection in the alert of BackDoor
joel.esler at ...435...
Mon Jan 7 09:47:46 EST 2008
You have to look at it a couple ways.
HOME_NET any -> EXTERNAL_NET any okay, so the connection is taking place going outbound from my network.
to_server -> okay, so the the connection is taking place STARTING on my network (the initial SYN was sent from my network).
So what this looks like to me is that your network has ALREADY been "infected" with this backdoor, and the machine that is affected is beconing back home to it's master.
What sid is the EML rule?
Don't judge "who the attacker is" by the direction of the flow. You have to take alot of things into consideration.
On Mon, Jan 07, 2008 at 02:08:20PM +0800, it looks like Sun sent me:
> Hi all,
> Happy new year!
> I'm analysing the role of the participants in an alert. I found
> there is some difficult in analysing the alerts in class of BACKDOOR.
> There are commonly a word 'connection' in the alert names, but it may
> means the attacker connecting to the victim sometime and means the
> victim connecting the attacker sometime.
> I first suppose the snort are protecting the home net, so the
> participant in the home net would be the victim. However, I found some
> specical case.
> For example, for the alert 'BACKDOOR FsSniffer connection attempt',
> its rule is :
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer
> connection attempt"; flow:to_server,established; content:"RemoteNC
> Control Password|3A|"; reference:nessus,11854;
> classtype:trojan-activity; sid:2271; rev:2;)
> The flow: to_server seems indicating that an attacker in the homenet
> are connecting a external victim.
> So, should I judge the roles by the flow option? Is the flow option
> accurate enough to support my analysis? I seems to have seen some
> inconsistent case about the flow option.
> By the way, an another related case is the alert 'WEB-CLIENT Outlook
> EML access'. For the alert, who is the attacker and who is the victim?
> Thank you very much!
> Best regards!
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
828A A216 6D95 A6BB B386 54F3 ACE3 B833 5F51 4902
More information about the Snort-sigs