[Snort-sigs] Rule for Sebek2 Traffic

Here's a quick rule that picks up Sebek2 traffic. Sebek2 is a backdoor that is intended to be used to monitor Linux honeypots. However it could of course have plenty of other malicious uses.

### Sebek2 Detection Rule ###

# you can set this to 'any' and still get a low # of false positives
var SEBEK_PORTS 1101

# TTL is configurable, but 1 by default
# TOS of 13 is hardcoded into the source
# the sebek packet ID is 4 bytes, so dsize is > 4

# you'll get an alert on *every* sebek packet. If you only want to
# get one for every 256 sebek packets (roughly every 85 keystrokes), add
# the following three lines:
# content: "|00|"; \

alert udp any $SEBEK_PORTS -> any $SEBEK_PORTS (msg:"Sebek2 traffic"; \ ttl:1; \
tos:13; \
dsize:>4; \
reference:url,project.honeynet.org/papers/honeynet/tools/; \ classtype:policy-violation; sid:1000000; rev:1;)

#EOF

--
^Drew
http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs