[Snort-users] Port 10008/tcp ?

Tudor Panaitescu tpanaitescu at ...2032...
Tue May 15 14:04:32 EDT 2001


No typo. Please check the link below, down the page, Lion v3:

http://www.whitehats.com/library/worms/lion/index.html

(Thanks to H D Moore <hdm at ...1714...>).

By the way it is not in the ports database, it is not in the rules either, not
in the vision.rules. Just in case, quick and dirty, based on the analisys on
whitehats.com I added to my local.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 1008 (msg: "Lion v1/2 trojan access
attempted";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg: "Lion v1 trojan access
attempted";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 33567 (msg: "Lion v1 trojan access
attempted";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 33568 (msg: "Lion v1 trojan access
attempted";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 60008 (msg: "Lion v1 trojan access
attempted";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10008 (msg: "Lion v3 trojan access
attempted";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "Lion v3 trojan access
attempted";)

Any comments on these rules are welcome... ;-)

All the best,
Tudor


"Bunter, Matthew" <Matthew.Bunter at ...2008...> on 05/15/2001 12:25:32 PM



To:  snort-users at lists.sourceforge.net
cc:  (bcc: Tudor Panaitescu/ColorconUS)

Subject:  RE: [Snort-users] Port 10008/tcp ?




Just in case you did a typo (not accusing you or anything)
10007 is for mvs capacity and 10080 is for something called amanda
Nothing for 10007

Matt

> -----Original Message-----
> From: Tudor Panaitescu [SMTP:tpanaitescu at ...2032...]
> Sent: 15 May 2001 16:46
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Port 10008/tcp ?
>
> Hello everyone !
>
> Does anybody know what is this port, 10008/tcp for ?
>
> I've got some attempts, allways 2 at a time from the same source address.
>
> TIA,
> Tudor
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.

**********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list