[Snort-users] BACKDOOR ACTIVITY rules

Martin Roesch roesch at ...421...
Fri Oct 6 22:12:20 EDT 2000


Well, the real problem here is that port-only rules just kind of suck in
general.  :)  I mean, there's a fairly decent chance that you're going to see
traffic to those ports at some point that's nothing more than apps chatting,
etc.  Generally, I like to see at least *one* rule option used with an alert
rule to really make me happy that some condition is being met other than the
existence of the traffic...

    -Marty

Joe McAlerney wrote:
> 
> We've noticed a number of these rule types producing many false
> positives when we updated to the 10042k.rules rule set.  They were
> getting set off by things like DNS and FTP traffic, as well as other
> services below 1024.  Since they are looking for traffic from such
> trojans as Back Orifice 2k, Invasor, Striker, Totaleclipse, etc., I was
> hesitant to just make a fresh batch of pass rules.
> 
> I really do not know how each of the trojans operate, but would be a
> good idea to only alert on destination traffic on port 1024 and above
> for backdoor activity rules?  Has anyone researched trojan traffic
> patterns?
> 
> Example rule:
> 
> alert udp $HOME_NET 54321 -> any any (msg:"IDS189 - BACKDOOR
> ACTIVITY-Possible Back Orifice 2k";)
> 
> Proposed rule:
> 
> alert udp $HOME_NET 54321 -> any 1024: (msg:"IDS189 - BACKDOOR
> ACTIVITY-Possible Back Orifice 2k";)
> 
> Your feedback is appreciated.
> 
> -Joe M.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list