No subject


Thu Nov 23 16:36:19 EST 2017


 Summary  
 
This indicates an attempt to send a command to a compromised Q server. Q is
a backdoor that allows an attacker to run commands remotely as root, among
other functions.  

 How Specific  
 
This event is specific to a particular exploit, but the packet payload is
not considered as part of the signature to detect the attack.   

 Trusting The Source IP Address  
 
Since this event was caused by a ICMP packet, the source IP address could be
easily forged. It has been noted that the intruder is likely to expect or
desire a response to their packets, so it may be likely that the source IP
address is not spoofed.   


cve entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660


- Jeff





More information about the Snort-users mailing list