Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
4
Replies

IPS/MARS - BackOriffic BO2K Udp

cashqoo
Level 1
Level 1

‎06-05-2007 01:58 AM - edited ‎03-09-2019 06:07 PM

Hi,

I have a cisco IPS4240 & Mars 20.

both report incident w "BackOrifice BO2K UDP". I have check w my firewall, it was supposed to be an IPsec traffic on port 4500, instead of 31337.

Confused.

Appreciate for any advice.

cash

Labels:
0 Helpful
4 Replies 4

mhellman
Level 7
Level 7

‎06-05-2007 04:58 AM

You don't mention the sigid, that would help. There are many "trojan" signatures that will trigger based solely on the port. UDP is especially prone to this because the sensor can't determine state. Something as common as a reply to a DNS query may trigger these types of signatures.

QUERY

-----

client:31337 --> DNSserver:53

RESPONSE

--------

DNSserver:53 --> client:31337

0 Helpful

cashqoo
Level 1
Level 1
In response to mhellman

‎06-05-2007 06:48 PM

Hi,

1>Signature as defined in MARS

BO2K signature[4055] - <"a2 8f b7 e2" in the first 8 bytes of a UDP packet destined to port 31337>

2>IPS log

.

.

participants:

attacker:

addr: 192.168.***.*** locality=OUT

port: 4500

target:

addr: ***.***.***.253 locality=OUT

port: 4500

riskRatingValue: 75

interface: ge0_2

protocol: udp

3>syslog - firewall

Built outbound UDP connection 40003044 for outside:***.***.***.253/4500 (***.***.***.253/4500) to inside:192.168.***.***/4500 (***.***.***.180/4500)

I am confused as it is mentioned on the that the ports are different between the logs and the signature(4500 & 31337 respectively).

Am i missing anything?

i understand that drop-rules can be created to drop this incident. But it seems that the logs does not tally with the signature.

0 Helpful

mhellman
Level 7
Level 7
In response to cashqoo

‎06-06-2007 04:46 AM

I don't see anywhere in the actual signature on the sensor where port 31337 is specified. It uses one of the "wierd" engines though where you don't get to see much.

Based on your experience and the benign triggers listed here:

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3992&signatureSubId=1

I suspect it is not requiring port 31337.

0 Helpful

rnaydenov
Level 1
Level 1

‎06-05-2007 05:08 AM

Make a drop rule on MARS regarding these hosts

The rule should state that if there is that event "BackOrifice BO2K" on that port 4500 UDP between these hosts then drop/log only.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents