[Emerging-Sigs] Aurora

Jaime Blasco jaime.blasco at alienvault.com
Tue Jan 19 10:15:42 EST 2010


Hi,

I was reading the article about Operation Aurora:
http://www.mcafee.com/us/threat_center/operation_aurora.html

(Google attack)

I think these rules should be sufficient to detect the behavior described in
the article:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Aurora C&C
Checkin"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe
ff ff ff ff ff ff ff ff ff 88 ff|"; offset:0; depth:20;
classtype:trojan-activity; reference:url,
www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/;
sid:10000000001; rev:1;)

alert $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Aurora C&C Checkin
Response"; flow:established,to_server; content:"|cc cc cc cc cd cc cc cc cd
cc cc cc cc cc cc cc|"; offset:0; depth:16; classtype:trojan-activity;
reference:url,
www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/;
sid:10000000002; rev:1;)

Regards

-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100119/e8441273/attachment.html


More information about the Emerging-sigs mailing list