Snort mailing list archives
Detecting VNC, PCAnywhere etc.
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Sun, 5 Aug 2001 15:52:52 -0400
Hello, A popular method used by hackers after compromising a host on your network is to make some type of connection back out to the Internet to gather tools (usually a FTP, TFTP, VNC, PCAW, Telnet connection etc). I would like to be able to detect this type of attempt. I tried this using a rule to detect when certain destination ports (i.e. 5631 for PCAnywhere) are accessed, but there is one problem with this. Since machines connect to our web site with a random source port (i.e. 5631 which is used by PCAnywhere), our web server replies with that source port as the destination port in message going back. This triggers a false positive when it sees 5631 as the destination port for example. Is anyone out there checking for this type of traffic on their network, and if so, can you recommend a good rule? Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting VNC, PCAnywhere etc. Sheahan, Paul (PCLN-NW) (Aug 05)
- RE: Detecting VNC, PCAnywhere etc. Mark Spieth (Aug 05)