[Snort-users] BACKDOOR ACTIVITY rules

Joe McAlerney joey at ...155...
Fri Oct 6 20:23:31 EDT 2000


We've noticed a number of these rule types producing many false
positives when we updated to the 10042k.rules rule set.  They were
getting set off by things like DNS and FTP traffic, as well as other
services below 1024.  Since they are looking for traffic from such
trojans as Back Orifice 2k, Invasor, Striker, Totaleclipse, etc., I was
hesitant to just make a fresh batch of pass rules.

I really do not know how each of the trojans operate, but would be a
good idea to only alert on destination traffic on port 1024 and above
for backdoor activity rules?  Has anyone researched trojan traffic
patterns?

Example rule:

alert udp $HOME_NET 54321 -> any any (msg:"IDS189 - BACKDOOR
ACTIVITY-Possible Back Orifice 2k";)

Proposed rule:

alert udp $HOME_NET 54321 -> any 1024: (msg:"IDS189 - BACKDOOR
ACTIVITY-Possible Back Orifice 2k";)

Your feedback is appreciated.

-Joe M.



More information about the Snort-users mailing list