Article Figure 1 Figure 2 Figure 3 Figure 4 apr2004.tar

Figure 2 Excerpt from example fwsnort.sh script generated by fwsnort

#!/bin/sh

############ backdoor.rules ############
$ECHO " .. Adding iptables backdoor rules."
### msg: "BACKDOOR subseven 22", classtype: "misc-activity", reference:
"arachnids,485"
$IPTABLES -A fwsnort_INPUT_eth0 -p tcp --sport 27374 --tcp-flags ACK ACK -m
string --hex-string "|0d0a5b52504c5d3030320d0a|" -j LOG --log-prefix "SID103 "
### msg: "BACKDOOR subseven 22", classtype: "misc-activity", reference:
"arachnids,485"
$IPTABLES -A fwsnort_FORWARD -p tcp --sport 27374 -d 192.168.20.0/24
--tcp-flags ACK ACK -m string --hex-string "|0d0a5b52504c5d3030320d0a|" -j LOG
--log-prefix "SID103 "
### msg: "BACKDOOR netbus active", classtype: "misc-activity", reference:
"arachnids,401"
$IPTABLES -A fwsnort_INPUT_eth2 -p tcp --sport 12345:12346 --tcp-flags ACK ACK
-m string --string "NetBus" -j LOG --log-prefix "SID109 "
### msg: "BACKDOOR netbus active", classtype: "misc-activity", reference:
"arachnids,401"