[Snort-users] BACKDOOR QAZ Worm Client Login access?

Matt Kettler mkettler at ...4108...
Thu May 20 16:07:01 EDT 2004


At 02:57 PM 5/20/2004, sart at ...11843... wrote:
>The SID is 108 and the message is "BACKDOOR QAZ Worm Client Login access."
>I have the sensor on a port mirroring all traffic to the DMZ.
>The Source address in the "SID 108" alert is the internal address of our
>SMTP server, and the Destination is 192.6.1.3.
>The Payload is [length = 5, 000 : 00 00 00 00 45]

That sounds more like a bug in your version of snort.

That packet should definitely not match that rule. The rule is looking for 
a 10-byte hex sequence in the payload, and 00 isn't in it. ( 71 61 7a 77 73 
78 2e 68 73 71).

Was the port on the destination even correct? (port 7597)







More information about the Snort-users mailing list