backdoor.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: backdoor.rules,v 1.75.6.22 2008/07/29 18:04:18 vrtbuild Exp $
#---------------
# BACKDOOR RULES
#---------------
#

alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_client,established; content:"|0D 0A|[RPL]002|0D 0A|"; metadata:policy security-ips drop; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:9;)
alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; metadata:policy security-ips drop; classtype:trojan-activity; sid:107; rev:7;)


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; depth:6; nocase; pcre:"/^NetBus\s+\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:109; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:policy security-ips drop; reference:arachnids,403; classtype:trojan-activity; sid:110; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:3009; rev:3;)
alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; metadata:policy security-ips drop; classtype:trojan-activity; sid:115; rev:11;)


# 3150, 4120
alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; flow:to_server; content:"00"; depth:2; metadata:policy security-ips drop; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:7;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:policy security-ips drop; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; flow:to_server; content:"00"; depth:2; metadata:policy security-ips drop; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:7;)
alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:policy security-ips drop; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; flow:to_server; content:"00"; depth:2; metadata:policy security-ips drop; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:6;)
alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:policy security-ips drop; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:6;)


alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; metadata:policy security-ips drop; reference:arachnids,312; classtype:misc-activity; sid:119; rev:6;)
alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; metadata:policy security-ips drop; classtype:trojan-activity; sid:1985; rev:3;)