IPS/MARS - BackOriffic BO2K Udp

Unanswered Question
Jun 5th, 2007

Hi,

I have a cisco IPS4240 & Mars 20.

both report incident w "BackOrifice BO2K UDP". I have check w my firewall, it was supposed to be an IPsec traffic on port 4500, instead of 31337.

Confused.

Appreciate for any advice.

cash

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Tue, 06/05/2007 - 04:58

You don't mention the sigid, that would help. There are many "trojan" signatures that will trigger based solely on the port. UDP is especially prone to this because the sensor can't determine state. Something as common as a reply to a DNS query may trigger these types of signatures.

QUERY

-----

client:31337 --> DNSserver:53

RESPONSE

--------

DNSserver:53 --> client:31337

cashqoo Tue, 06/05/2007 - 18:48

Hi,

1>Signature as defined in MARS

BO2K signature[4055] - <"a2 8f b7 e2" in the first 8 bytes of a UDP packet destined to port 31337>

2>IPS log

.

.

participants:

attacker:

addr: 192.168.***.*** locality=OUT

port: 4500

target:

addr: ***.***.***.253 locality=OUT

port: 4500

riskRatingValue: 75

interface: ge0_2

protocol: udp

3>syslog - firewall

Built outbound UDP connection 40003044 for outside:***.***.***.253/4500 (***.***.***.253/4500) to inside:192.168.***.***/4500 (***.***.***.180/4500)

I am confused as it is mentioned on the that the ports are different between the logs and the signature(4500 & 31337 respectively).

Am i missing anything?

i understand that drop-rules can be created to drop this incident. But it seems that the logs does not tally with the signature.

rnaydenov Tue, 06/05/2007 - 05:08

Make a drop rule on MARS regarding these hosts

The rule should state that if there is that event "BackOrifice BO2K" on that port 4500 UDP between these hosts then drop/log only.

Actions

This Discussion