[Emerging-Sigs] Signature for Virus:Win32/Slugin.A

waldo kitty wkitty42 at windstream.net
Fri Oct 15 14:14:50 EDT 2010


On 10/15/2010 08:29, dave richards wrote:
> Hi Matt,
>
> Please find the signature for Virus:Win32/Slugin.A
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS

according to the threatexpert link, the above $HTTP_PORTS should be 81 /or/ 
one's snort.conf should have port 81 in their list of HTTP_PORTS... the default 
HTTP_PORTS list in the VRT recommended snort.conf does not have 81 in this list...

> Win32/Slugin.A Reporting"; flow: to_server,established;
> content:"Host\:"; nocase; content:"paulinhosanotos.no-ip.biz"; nocase;
> classtype:trojan-activity;
> reference:url,threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1;
> reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A;
> sid:20101072; rev:1;)
>
> Looking forward for your comments if any

not sure how you might want to handle the above... can something like 
[$HTTP_PORTS, 81] be done? of course, this might cause problems for those who 
may have 81 in their list... i dunno...


More information about the Emerging-sigs mailing list