[Emerging-Sigs] Unknown C&C sample
Matt Jonkman
jonkman at jonkmans.com
Thu Mar 20 08:08:29 EST 2008
Ahhh, I can fix that. I had compressed 2 sigs into one by taking the
shorter starting string. I can expand it.
Changed the dsize to 22 which appears to be stable. And added 1c 5e to
the content match. That ought to do it.
Can you test for me?
Thanks
Matt
Michael Stone wrote:
> On Mon, Mar 17, 2008 at 01:48:49PM -0400, Matt Jonkman wrote:
>> alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS
>> Unknown Trojan CnC Channel Keepalive Ping"; flow:established,to_server;
>> dsize:<25; content:"|12 00 00 00|"; depth:4; classtype:trojan-activity;
>> sid:2008010; rev:1;)
>
> This seems to be falsing on mysql traffic. (Pattern observed is "|12 00
> 00 00|SELECT...", dport 3306/tcp)
>
> Mike Stone
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list