[Emerging-Sigs] Signature for Virus:Win32/Slugin.A

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 15 15:21:52 EDT 2010


Thanks for the sig Dave. Two issues though:

1. The domain name will be gone in days of not sooner. Not good to base the sig on that.

2. In suricata we can say "alert http ... ", but not in snort unfortunately.

Maybe snort will have protocol detection someday. But not now.

Matt


On Oct 15, 2010, at 3:17 PM, waldo kitty wrote:

> On 10/15/2010 14:18, Joel Esler wrote:
>> On Fri, Oct 15, 2010 at 2:14 PM, waldo kitty <wkitty42 at windstream.net
>> <mailto:wkitty42 at windstream.net>> wrote:
>> 
>>    On 10/15/2010 08:29, dave richards wrote:
>>> Hi Matt,
>>> 
>>> Please find the signature for Virus:Win32/Slugin.A
>>> 
>>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS
>> 
>>    according to the threatexpert link, the above $HTTP_PORTS should be 81 /or/
>>    one's snort.conf should have port 81 in their list of HTTP_PORTS... the default
>>    HTTP_PORTS list in the VRT recommended snort.conf does not have 81 in this
>>    list...
>> 
>> In addition you should have 81 in the http_inspect ports configuration for your
>> network.
> 
> right... 81 is not in that list in the VRT snort.conf either ;)
> 
> 
>> 
>>> Win32/Slugin.A Reporting"; flow: to_server,established;
>>> content:"Host\:"; nocase; content:"paulinhosanotos.no-ip.biz
>>    <http://paulinhosanotos.no-ip.biz>"; nocase;
>>> classtype:trojan-activity;
>>> 
>>    reference:url,threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1
>>    <http://threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1>;
>>> 
>>    reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A
>>    <http://microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A>;
>>> sid:20101072; rev:1;)
>>> 
>>> Looking forward for your comments if any
>> 
>>    not sure how you might want to handle the above... can something like
>>    [$HTTP_PORTS, 81] be done? of course, this might cause problems for those who
>>    may have 81 in their list... i dunno...
>> 
>>    _______________________________________________
>>    Emerging-sigs mailing list
>>    Emerging-sigs at emergingthreats.net <mailto:Emerging-sigs at emergingthreats.net>
>>    http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>>    Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>>    http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list