[**] BACKDOOR BackOrifice access [**]
06/07-20:55:38.833713 24.202.58.88:2982 -> 24.23.60.184:31337
UDP TTL:115 TOS:0x0 ID:3083 IpLen:20 DgmLen:46
Len: 26
0x0000: 00 E0 29 53 D8 D4 00 50 3E E2 5C 70 08 00 45 00 ..)S...P>.\p..E.
0x0010: 00 2E 0C 0B 00 00 73 11 93 C3 18 CA 3A 58 18 17 ......s.....:X..
0x0020: 3C B8 0B A6 7A 69 00 1A 7B 7D CE 63 D1 D2 16 E7 <...zi..{}.c....
0x0030: 13 CF 39 A5 A5 86 4D 8A B4 66 AA 32 ..9...M..f.2
[**] BACKDOOR BackOrifice access [**] | Rule Name | |
06/07-20:55:38.833713 | Full Date/Time | |
UDP | Protocol Type | |
TTL:115 | Time To Live | |
TOS:0x0 | Type Of Service | |
ID:3083 | Session ID | |
IpLen:20 | IP Length | |
DgmLen:46 | Datagram Length | |
Len: 26 | Length | |
[**] BACKDOOR BackOrifice access [**] | Rule Name |
The rule name is inserted from the "msg" field in the snort rule.
Below is the rule that caused the alert:
alert tcp any 80 -> any any (msg:"BACKDOOR BackOrifice access";
flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400;)
Full Date/Time - 06/07-20:55:38.833713
The time is notated in 24 hour time with the system date.
The (-U) flag may be set to have the times logged in
UTC, in addition to the (-y) flag to insert the current year.
Application Layer Dump
The (-d) option is used to display the ASCII and HEX contents of the application layer.
(Hex Data)
0x0000: 00 E0 29 53 D8 D4 00 50 3E E2 5C 70 08 00 45 00 ..)S...P>.\p..E.
0x0010: 00 2E 0C 0B 00 00 73 11 93 C3 18 CA 3A 58 18 17 ......s.....:X..
0x0020: 3C B8 0B A6 7A 69 00 1A 7B 7D CE 63 D1 D2 16 E7 <...zi..{}.c....
0x0030: 13 CF 39 A5 A5 86 4D 8A B4 66 AA 32 ..9...M..f.2
(ASCII Data)
..)S...P>.\p..E
. ......s.....:X..