[Emerging-Sigs] Signature for Virus:Win32/Slugin.A

Joel Esler jesler at sourcefire.com
Fri Oct 15 14:18:24 EDT 2010


On Fri, Oct 15, 2010 at 2:14 PM, waldo kitty <wkitty42 at windstream.net>wrote:

> On 10/15/2010 08:29, dave richards wrote:
> > Hi Matt,
> >
> > Please find the signature for Virus:Win32/Slugin.A
> >
> > alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS
>
> according to the threatexpert link, the above $HTTP_PORTS should be 81 /or/
> one's snort.conf should have port 81 in their list of HTTP_PORTS... the
> default
> HTTP_PORTS list in the VRT recommended snort.conf does not have 81 in this
> list...
>
> In addition you should have 81 in the http_inspect ports configuration for
your network.



> > Win32/Slugin.A Reporting"; flow: to_server,established;
> > content:"Host\:"; nocase; content:"paulinhosanotos.no-ip.biz"; nocase;
> > classtype:trojan-activity;
> > reference:url,
> threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1;
> > reference:url,
> microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A
> ;
> > sid:20101072; rev:1;)
> >
> > Looking forward for your comments if any
>
> not sure how you might want to handle the above... can something like
> [$HTTP_PORTS, 81] be done? of course, this might cause problems for those
> who
> may have 81 in their list... i dunno...
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101015/655d2132/attachment.html


More information about the Emerging-sigs mailing list