This is the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File
List"; flow:to_server,established; content:"--"; reference:arachnids,79;
classtype:misc-activity; sid:159; rev:6;)
The online writeup for the rule is here:
<http://www.snort.org/pub-bin/sigs.cgi?sid=159>
It reads, in part, "The server portion opens TCP port 5031 by default to
establish a connection between client and server."
Antionline lists the default NetMetro port as 5031:
<http://www.antionline.com/printthread.php?threadid=130966>
Dark-e, which has the trojan available for download in two version (1.0.0
and 1.0.4), lists the default port as 5031 and states that the port cannot
be changed:
<http://www.dark-e.com/archive/trojans/NetMetro/index.html>
Unfortunately, I can't get to whitehats.com right now, but I'm certain it
would also list the default port as 5031.
Looks to me like the rule is wrong. It should read:
alert tcp $EXTERNAL_NET any -> $HOME_NET 5031 (msg:"BACKDOOR NetMetro File
List"; flow:to_server,established; content:"--"; reference:arachnids,79;
classtype:misc-activity; sid:159; rev:7;)
Correct?
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
