[Emerging-Sigs] Signature for Virus:Win32/Slugin.A

waldo kitty wkitty42 at windstream.net
Fri Oct 15 15:17:45 EDT 2010


On 10/15/2010 14:18, Joel Esler wrote:
> On Fri, Oct 15, 2010 at 2:14 PM, waldo kitty <wkitty42 at windstream.net
> <mailto:wkitty42 at windstream.net>> wrote:
>
>     On 10/15/2010 08:29, dave richards wrote:
>      > Hi Matt,
>      >
>      > Please find the signature for Virus:Win32/Slugin.A
>      >
>      > alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS
>
>     according to the threatexpert link, the above $HTTP_PORTS should be 81 /or/
>     one's snort.conf should have port 81 in their list of HTTP_PORTS... the default
>     HTTP_PORTS list in the VRT recommended snort.conf does not have 81 in this
>     list...
>
> In addition you should have 81 in the http_inspect ports configuration for your
> network.

right... 81 is not in that list in the VRT snort.conf either ;)


>
>      > Win32/Slugin.A Reporting"; flow: to_server,established;
>      > content:"Host\:"; nocase; content:"paulinhosanotos.no-ip.biz
>     <http://paulinhosanotos.no-ip.biz>"; nocase;
>      > classtype:trojan-activity;
>      >
>     reference:url,threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1
>     <http://threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1>;
>      >
>     reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A
>     <http://microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A>;
>      > sid:20101072; rev:1;)
>      >
>      > Looking forward for your comments if any
>
>     not sure how you might want to handle the above... can something like
>     [$HTTP_PORTS, 81] be done? of course, this might cause problems for those who
>     may have 81 in their list... i dunno...
>
>     _______________________________________________
>     Emerging-sigs mailing list
>     Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
>     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>     Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>     http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html



More information about the Emerging-sigs mailing list