[Snort-users] portscans from 255.255.255.255?

Matt Kettler mkettler at ...7367...
Thu Jan 30 13:32:08 EST 2003


This is likely to be the Q backdoor.

It should be caught be the second of these two rules from backdoor.rules:

alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - 
Q ICMP";
  itype: 0; dsize: >1; reference:arachnids,202; 
sid:183;  classtype:misc-activity; re
v:3;)

alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; 
flags:A+;
dsize: >1;  reference:arachnids,203; sid:184;  classtype:misc-activity; rev:3;)


Note that it won't match a grep "255.255.255.255" but it will match a grep 
"255\.255\.255\."

  ( . is a wildcard to grep, I added the \'s to prevent the grep from 
matching 255x255x255x instead of 255.255.255.)



At 12:39 PM 1/30/2003 -0800, twig les wrote:
>Hey all, I have seriously debated whether I should
>send this since it may or may not be off-topic; it's
>just too bizarre to tell.  My border routers are
>sysloging this:
>
>bdr-acl-in denied tcp 255.255.255.255(80) ->
>1.1.156.194(8118)
>
>The acl is named correctly - these hits are coming
>from the outside.  They hit random IPs in our range
>like NMAP, and they always target a high port coming
>from 80.  I would assume they are from a LAN upstream
>since only routers doing stupid things forward
>broadcasts.  The implications of this coming from our
>upstream provider are quite large since we peer via
>dual /30s.
>
>It isn't crucial to my security (we don't let those
>shenanigans in the border), but does snort see this as
>bad traffic?  I did a quick "grep 255.255.255.255 *"
>in the snortrules dir and only came up with a couple
>of snmp rules.  I would like to know if I should write
>a rule for this since I only caught this by accident
>this time.
>
>
>=====
>-----------------------------------------------------------
>Know yourself and know your enemy and you will never fear defeat.
>-----------------------------------------------------------
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>http://mailplus.yahoo.com
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list