Hi all,
Happy new year!
I'm analysing the role of the participants in an alert. I found
there is some difficult in analysing the alerts in class of BACKDOOR.
There are commonly a word 'connection' in the alert names, but it may
means the attacker connecting to the victim sometime and means the
victim connecting the attacker sometime.
I first suppose the snort are protecting the home net, so the
participant in the home net would be the victim. However, I found some
specical case.
For example, for the alert 'BACKDOOR FsSniffer connection attempt',
its rule is :
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer
connection attempt"; flow:to_server,established; content:"RemoteNC
Control Password|3A|"; reference:nessus,11854;
classtype:trojan-activity; sid:2271; rev:2;)
The flow: to_server seems indicating that an attacker in the homenet
are connecting a external victim.
So, should I judge the roles by the flow option? Is the flow option
accurate enough to support my analysis? I seems to have seen some
inconsistent case about the flow option.
By the way, an another related case is the alert 'WEB-CLIENT Outlook
EML access'. For the alert, who is the attacker and who is the victim?
Thank you very much!
Best regards!
Mingming
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
