Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
3
Helpful
1
Replies

Signature 3116 - Netbus

DSmirnov
Level 1
Level 1

‎04-07-2003 09:50 PM - edited ‎03-09-2019 02:49 AM

Got an alert today on sig. 3116.

Simply fired on HTTP traffic initiated from tcp/12345 to tcp/80.

Is anyway to make more robust - at least filter out whole HTTP traffic or recognize Netbus based on payload?

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎04-08-2003 09:44 AM

What you found is a known bug in version 3.1 and earlier sensors.

The sensor did not track which port was the server and which port was the client.

So if your analysis is correct that this is a normal HTTP connection, then the HTTP client randomly chose the 12345 port which a Netbus server usually runs on. The HTTP client then sent a request to the webserver that contained "netbus" in the request.

The signature looks for the regular expression: [Nn][Ee][Tt][Bb][Uu][Ss] from a server running on ports 12345,12346 or 20034

So you may want to verify that it is a legitimate web request containing "netbus" in the request or some variant like "netbusiness" which would make the alarm a false positive alarm.

In version 4.0 of the sensor we have addresses these false postives where clent ports are being confused with server ports. The 4.0 sensor is able to track the direction of the connection in order to determine which of the 2 ports is the server port and which is the client port. So in 4.0 you would not have this false positive.

Here is the signature definition on a 4.0 sensor in case you are interested:

SIGID: 3116

SubSig: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: high

AlarmThrottle: Summarize

AlarmTraits:

ChokeThreshold:

Direction: FromService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1

MinMatchLength:

Protocol: TCP

RegexString: [Nn][Ee][Tt][Bb][Uu][Ss]

ResetAfterIdle: 15

ServicePorts: 12345-12346,20034

SigComment:

SigName: NetBus

SigStringInfo: NetBus

SigVersion: S37

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: AaBb

ThrottleInterval: 15

WantFrag

Customers Also Viewed These Support Documents