[Snort-users] BACKDOOR ACTIVITY rules

Jim Forster jforster at ...176...
Fri Oct 6 20:35:42 EDT 2000

These should not have been included in the standard distro file....   I'll
pull 'em back out.
They are normally just in the set of non-sig based, and most people do not
use them.
<Thought I fixed that in the last release - DOH!>

----- Original Message -----
From: Joe McAlerney <joey at ...155...>
To: snort-users <snort-users at lists.sourceforge.net>
Sent: Friday, October 06, 2000 6:23 PM
Subject: [Snort-users] BACKDOOR ACTIVITY rules

> We've noticed a number of these rule types producing many false
> positives when we updated to the 10042k.rules rule set.  They were
> getting set off by things like DNS and FTP traffic, as well as other
> services below 1024.  Since they are looking for traffic from such
> trojans as Back Orifice 2k, Invasor, Striker, Totaleclipse, etc., I was
> hesitant to just make a fresh batch of pass rules.
> I really do not know how each of the trojans operate, but would be a
> good idea to only alert on destination traffic on port 1024 and above
> for backdoor activity rules?  Has anyone researched trojan traffic
> patterns?
> Example rule:
> alert udp $HOME_NET 54321 -> any any (msg:"IDS189 - BACKDOOR
> ACTIVITY-Possible Back Orifice 2k";)
> Proposed rule:
> alert udp $HOME_NET 54321 -> any 1024: (msg:"IDS189 - BACKDOOR
> ACTIVITY-Possible Back Orifice 2k";)
> Your feedback is appreciated.
> -Joe M.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list