Snort mailing list archives
RE: BACKDOR ??
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Tue, 30 Oct 2001 02:02:53 +0200
Hi! The rule that triggered the alert (NetMetro Incoming Traffic) works simply by looking at source- and destination ports of TCP traffic, and thus easily generates false alarms. It gets triggered whenever there's incoming TCP traffic coming from port 5031 to any other port but 53 and 80: alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags: A+; reference:arachnids,79; sid:160; rev:1; resp: rst_all;) I have had to disable the rule on several networks because of masses of false alarms it caused. So, it's most probably a false alarm. Just to be sure, check that the host 192.168.7.250 does not have NetMetro installed. Here's a typical example of what might have happened: 1. A user on host 192.168.7.250 (client) opens FTP connection to 217.126.184.188 (server) with Netscape. To do that, the client makes TCP connection from a random port number (say, 1243) to the server's FTP command channel which runs at port 21. 192.168.7.250:1243 => 217.126.184.188:21 2. As the user is using Netscape, passive FTP mode is used. So, the client and the server make a deal that data (directory listings, file transfers etc.) are done so that the client opens data channel by connecting to a random port (say, 5031) on the server. Source port is once again random -- 4520 happens to be free so let's use it. 192.168.7.250:4520 => 217.126.184.188:5031 3. Now the user requests file listing (ls) from the server. Server happily sends data via the already established data channel: 217.126.184.188:5031 => 192.168.7.250:4520 SNORT! There's traffic coming from external address, port 5031 to our home network, port other than 53 and 80. =) I hope this helps! Cheers! - Jyri _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BACKDOR ?? Eduard Meiler (Oct 29)
- RE: BACKDOR ?? Jyri Hovila (Oct 29)