[Snort-users] RST.B / EGP

Ryan Russell ryan at ...35...
Tue Jan 8 08:57:03 EST 2002

It looks like I was incorrect about RST.b using EGP.  Qualys has done some
research on it, and it looks like it responds to UDP packets after all.
My confusion is because it specifically allocates an EGP socket, but then
goes into promiscuous mode, so I guess that doesn't matter.  However,
there are some particular packet characteristics one could look for.  Keep
an eye out for some more information about RST.b over the next couple of


On Tue, 8 Jan 2002, Ian Cudlip wrote:

> Hello All,
> Has anyone looked into RST.b trojan.. I was considering tracking EGP (proto
> 8) to identify infected machines, also, does anyone have any signatures?
> Ian.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list