Snort mailing list archives
Re: alert questions
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 14 Dec 2001 11:35:27 -0500
So that everyone doesn't have to go greping their rule files for "sid:112" this is a content-based rule for back orifice access detection..
backdoor.rules:alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112; classtype:misc-activity; rev:3;)
I'm no expert, but at casual glance and brief thought I'd be a little a little surprised if this triggered and it was a false alarm, that strikes me as a very abnormal sequence, even for a binary to contain (although it is possible).
That said, I've never had the rule trigger at all (snorting a T1 with roughly 50<n<100 office users for about 9 months now).
At 11:20 PM 12/13/2001 -0500, Brian wrote:
Have any of you seen sid:112 trigger and it was not a false alarm? If so, please email me. The only reference to this sid is that it is one of the original Ron Gula dragon sigs that Max converted. -- After I'm dead I'd rather have people ask why I have no monument than why I have one. -- Cato the Elder _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert questions Brian (Dec 14)
- Re: alert questions Matt Kettler (Dec 14)
- Re: alert questions Jim Forster (Dec 14)