IPS/MARS - BackOriffic BO2K Udp

Unanswered Question
Jun 5th, 2007
User Badges:

Hi,


I have a cisco IPS4240 & Mars 20.

both report incident w "BackOrifice BO2K UDP". I have check w my firewall, it was supposed to be an IPsec traffic on port 4500, instead of 31337.


Confused.

Appreciate for any advice.


cash

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Tue, 06/05/2007 - 04:58
User Badges:
  • Blue, 1500 points or more

You don't mention the sigid, that would help. There are many "trojan" signatures that will trigger based solely on the port. UDP is especially prone to this because the sensor can't determine state. Something as common as a reply to a DNS query may trigger these types of signatures.


QUERY

-----

client:31337 --> DNSserver:53


RESPONSE

--------

DNSserver:53 --> client:31337

cashqoo Tue, 06/05/2007 - 18:48
User Badges:

Hi,


1>Signature as defined in MARS

BO2K signature[4055] - <"a2 8f b7 e2" in the first 8 bytes of a UDP packet destined to port 31337>


2>IPS log

.

.

participants:

attacker:

addr: 192.168.***.*** locality=OUT

port: 4500

target:

addr: ***.***.***.253 locality=OUT

port: 4500

riskRatingValue: 75

interface: ge0_2

protocol: udp


3>syslog - firewall

Built outbound UDP connection 40003044 for outside:***.***.***.253/4500 (***.***.***.253/4500) to inside:192.168.***.***/4500 (***.***.***.180/4500)


I am confused as it is mentioned on the that the ports are different between the logs and the signature(4500 & 31337 respectively).


Am i missing anything?


i understand that drop-rules can be created to drop this incident. But it seems that the logs does not tally with the signature.

mhellman Wed, 06/06/2007 - 04:46
User Badges:
  • Blue, 1500 points or more

I don't see anywhere in the actual signature on the sensor where port 31337 is specified. It uses one of the "wierd" engines though where you don't get to see much.


Based on your experience and the benign triggers listed here:

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3992&signatureSubId=1


I suspect it is not requiring port 31337.

rnaydenov Tue, 06/05/2007 - 05:08
User Badges:

Make a drop rule on MARS regarding these hosts

The rule should state that if there is that event "BackOrifice BO2K" on that port 4500 UDP between these hosts then drop/log only.


Actions

This Discussion