[Emerging-Sigs] Signature for Virus:Win32/Slugin.A

dave richards dave.richards0319 at gmail.com
Sat Oct 16 06:49:52 EDT 2010


Hi Matt,

I am absolutely unaware of how to build signatures in suricata and morever I
could not find any reading manual of suricata available over the Internet,
whatever knowledge I have , I have it on SNORT. So I request you to kindly
assist me at this regard.

Thank you for the Inputs Matt and the rest of Development Team.

On Sat, Oct 16, 2010 at 12:51 AM, Matthew Jonkman <
jonkman at emergingthreatspro.com> wrote:
> Thanks for the sig Dave. Two issues though:
>
> 1. The domain name will be gone in days of not sooner. Not good to base
the sig on that.
>
> 2. In suricata we can say "alert http ... ", but not in snort
unfortunately.
>
> Maybe snort will have protocol detection someday. But not now.
>
> Matt
>
>
> On Oct 15, 2010, at 3:17 PM, waldo kitty wrote:
>
>> On 10/15/2010 14:18, Joel Esler wrote:
>>> On Fri, Oct 15, 2010 at 2:14 PM, waldo kitty <wkitty42 at windstream.net
>>> <mailto:wkitty42 at windstream.net>> wrote:
>>>
>>>    On 10/15/2010 08:29, dave richards wrote:
>>>> Hi Matt,
>>>>
>>>> Please find the signature for Virus:Win32/Slugin.A
>>>>
>>>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS
>>>
>>>    according to the threatexpert link, the above $HTTP_PORTS should be
81 /or/
>>>    one's snort.conf should have port 81 in their list of HTTP_PORTS...
the default
>>>    HTTP_PORTS list in the VRT recommended snort.conf does not have 81 in
this
>>>    list...
>>>
>>> In addition you should have 81 in the http_inspect ports configuration
for your
>>> network.
>>
>> right... 81 is not in that list in the VRT snort.conf either ;)
>>
>>
>>>
>>>> Win32/Slugin.A Reporting"; flow: to_server,established;
>>>> content:"Host\:"; nocase; content:"paulinhosanotos.no-ip.biz
>>>    <http://paulinhosanotos.no-ip.biz>"; nocase;
>>>> classtype:trojan-activity;
>>>>
>>>    reference:url,
threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1
>>>    <
http://threatexpert.com/report.aspx?md5=693592c6cfc2eae41ca23854a0752ec1>;
>>>>
>>>    reference:url,
microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A
>>>    <
http://microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSlugin.A
>;
>>>> sid:20101072; rev:1;)
>>>>
>>>> Looking forward for your comments if any
>>>
>>>    not sure how you might want to handle the above... can something like
>>>    [$HTTP_PORTS, 81] be done? of course, this might cause problems for
those who
>>>    may have 81 in their list... i dunno...
>>>
>>>    _______________________________________________
>>>    Emerging-sigs mailing list
>>>    Emerging-sigs at emergingthreats.net <mailto:
Emerging-sigs at emergingthreats.net>
>>>    http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>    Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
>>>
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
>>>
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
>>
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>



-- 
Regards,
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101016/a353f867/attachment.html


More information about the Emerging-sigs mailing list