[Emerging-Sigs] Strange UDP Trojan check-in

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 6 10:19:45 EDT 2011


On Oct 6, 2011, at 10:04 AM, Nathan wrote:

> Awesome, you used my PCRE for Snort versions that don't support byte_extract! 
> I feel more special now and less dumb than before.
> 

You're "special", no doubt about it! :)

> #Snort 2.4
> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
> Communication 1"; dsize:72; pcre:"/^.{63}(.)\1{8}$/Bs";
> classtype:trojan-activity; sid:2013739; rev:4;)
> 
> /me does a happy dance because I got to use a PCRE with a back reference.
> 

We're adding a negate for |00| in there, and adjusting the byte_extract version for suricata and snort 2.9. Update out shortly. 

Reports of falses on bittorrent traffic, which is likely mostly based on padding (00), so fixing up!

Matt

> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111006/60d892e2/smime-0001.bin


More information about the Emerging-sigs mailing list