Hi,
We recently picked up a compromised machine running psyBNC on a strange
port, thanks to sig 493:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access";
flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de";
classtype:bad-unknown; sid:493; rev:5;)
The banner itself looked like this:
> telnet <ip> <port>
:Welcome!psyBNC@lam3rz.de NOTICE * :MaZuRRel
We emailed the machine owner to let him know, only for the rule to trigger
again, this time for a dialog coming from port 110 on our mail server...
As it turned out, we'd included the banner string in our message, and so
when the chap read his email (with POP), the snort rule fired!
In all the psyBNC instances I've see, the banner starts with a colon,
immediately followed by the "Welcome!psyBNC" string. So it may make sense
to add a "depth" option to restrict the rule to only searching the start
of a packet. This should reduce false positives, and improve the rule
efficiency.
Counting the characters in the tested-for string, and adding one for the
colon, I'd suggest depth: 25; would be sufficient. I guess there'd be
little harm in testing up to e.g 30 for good measure.
PS - with the rule in it's current form, my sending this email is probably
going to trigger snorts all over the world...
Cheers
--
Chris Edwards, Glasgow University Computing Service
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
