TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

I definately don't think the help on signatures is sufficient. Yes it is true I could go around with netcat, and try to emulate every different false positive that I have. But I don't have that kind of time. I would really prefer it if the help on each vulnerability gave the exact reasoning behind why it alerted that vulnerability. In general the vulnerability database help just describes the vulnerability. I know what BackOrifice is, there are hundreds of resources on the net that will tell me what BackOrifice is. I want to know why the scanner thinks it's a BackOrifice connection. As we all know there are more false-positives with this thing than anything else. I would just like a resource to tell me how it's looking for things so that I can tell if it's a vulnerability or not.

Note to ISS: You can't say that you want to keep it a secret because you don't want other companies copying your method. Most IDS systems have pretty much the same list of vulnerabilities, so it's not how many you have anymore, it's who comes out with it first.

-----Original Message-----
From: Jeroen Veeren [mailto:j.veerenpointnet.nl]
Sent: Friday, July 27, 2001 12:44 AM
To: Yong, David; issforumiss.net
Subject: RE: Question about Back Orifice

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

David,

I am not aware of any resources in detail, although i find the help on the
signatures are sufficient in most cases.
In this particalur event i would suggest to just telnet to port 31337 on any
machine that is in the segment of the monitored network and see if the
BackOrifice event pops up.

If it doesn't you could use netcat to listen on a machine in that segment
and let it listen on port 31337 to see if it will pop up when a session is
made.

If again it doesn't you can start sending data over the connection to see
what will trigger the event, but i guess that would be a little bit
far-fetched ;o)

Bye,
Jeroen.

-----Oorspronkelijk bericht-----
Van: Yong, David [mailto:David.Yongtrw.com]
Verzonden: vrijdag 20 juli 2001 16:18
Aan: issforumiss.net
Onderwerp: Question about Back Orifice

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

When I get a "BackOrifice" alert on RealSecure, what events occur that show
this alert? Is it just looking for connections to port 31337? Is it smart
enough to actually look into the traffic and see something specific to Back
Orifice, or does it just look for a tcp connection on that port? It would
help a lot if ISS included more information on the signatures... Maybe a
resource exists on what EXACTLY is being found when an alert is sounded, but
I am unaware of it?

David Yong
(310) 812-3994

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]