mungushume Posted June 29, 2007 Report Share Posted June 29, 2007 Within a corporate network i sometimes run uTorrent v1.6.1 build 490Amongst other sniffers on our Internet traffic we run http://www.winsnort.com/During use of uTorrent the following rule in winsnort was triggered repeatedly. <code>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - file management"; flow:from_server,established; flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8477; rev:1; )</code>Here is a sample of the log file generated<code>Generated by BASE v1.3.5 (xxxxxx) on Thu, 14 Jun 2007 11:15:05 +0100#9-609689| [2007-06-08 21:56:40] 10.0.0.244:3551 -> 62.1.180.158:57742 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-610811| [2007-06-08 22:48:38] 10.0.0.244:3551 -> 62.1.180.158:57742 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-612058| [2007-06-08 23:35:46] 10.0.0.244:3673 -> 68.204.247.59:29992 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-612605| [2007-06-08 23:58:42] 10.0.0.244:3673 -> 68.204.247.59:29992 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-628326| [2007-06-09 16:49:19] 10.0.0.244:3341 -> 87.205.168.245:44167 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-628981| [2007-06-09 17:29:12] 10.0.0.244:3341 -> 87.205.168.245:44167 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-629489| [2007-06-09 17:53:13] 10.0.0.244:3926 -> 62.56.56.198:48778 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-633578| [2007-06-09 22:18:59] 10.0.0.244:3503 -> 87.194.50.49:54948 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-648987| [2007-06-10 16:46:26] 10.0.0.244:1968 -> 89.2.41.57:12409 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-672781| [2007-06-10 23:20:36] 10.0.0.244:4899 -> 86.123.186.79:35071 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-683921| [2007-06-11 01:18:25] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-684553| [2007-06-11 01:25:24] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-691452| [2007-06-11 02:47:11] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-693274| [2007-06-11 03:13:03] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-693875| [2007-06-11 03:20:12] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-694792| [2007-06-11 03:31:43] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-705521| [2007-06-11 05:50:21] 10.0.0.244:4492 -> 24.150.220.164:44172 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-748350| [2007-06-12 00:06:17] 10.0.0.244:3023 -> 71.9.134.59:59595 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-748997| [2007-06-12 00:27:16] 10.0.0.244:3023 -> 71.9.134.59:59595 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-749352| [2007-06-12 00:38:50] 10.0.0.244:3023 -> 71.9.134.59:59595 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management#9-749521| [2007-06-12 00:46:46] 10.0.0.244:3023 -> 71.9.134.59:59595 [url/www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726] [local/8477] [snort/1:8477] BACKDOOR superspy 2.0 beta runtime detection - file management</code>I'm certainly no expert with winsnort but should i be concerned? Is this a false positive?In essence I've stopped using uTorrent and am now looking for a new torrent client.I'd be interested in others comments and input. Regards slightly troubled Link to comment Share on other sites More sharing options...
DreadWingKnight Posted June 29, 2007 Report Share Posted June 29, 2007 what heuristic is that trying to use to identify this?It's a total false positive.The remote administration capabilities of uTorrent are limited to uTorrent and cannot spread beyond that.Additionally, those remote administration capabilities need to be turned on manually. They are off by default.Overly paranoid software firewall (which appears to be par for the course for software firewalls) Link to comment Share on other sites More sharing options...
mungushume Posted June 29, 2007 Author Report Share Posted June 29, 2007 Ok I've just done a little more digging on this and found this post http://www.networksecurityarchive.org/html/Snort-Signatures/2007-02/msg00018.htmlIt seems as though the sniffer is looking for a heuristic based upon the rule (content:"|01 03|"; depth:2; )Content |01 03| ???That doesn't actually sound like a very well constructed rule. I imagine with the shear number of packets produced by P2P software this data is going to be present and trigger the rule at some point.As my foreign friends would say "my bad"Regards A bit happier Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.