Backdoor Rulebase Example: netcat
The netcat utility can open connections to any port and can offer services on any port. We know that attackers use netcat to create and exploit backdoors.
Suppose an attacker gains access to a host in your network and installs a netcat utility. The following example shows a netcat command an attacker can run:
nc 10.1.1.100 4444This command opens a connection to the computer at IP address 10.1.1.100 over port 4444.
Figure 1 shows a recommended rule that would detect the interactive traffic generated by netcat in this case.
Figure 1: Backdoor Rulebase
Rule 1 ignores the interactive traffic you expect for interactive services in your network (Telnet, SSH, RSH, NetMeeting, and VNC). Rule 2 detects all other interactive traffic. Rule 2 detects interactive traffic that occurs over a port where there typically is not interactive traffic.
