[Emerging-Sigs] Strange UDP Trojan check-in

Martin Holste mcholste at gmail.com
Mon Oct 10 20:12:13 EDT 2011


What I consider the "official" write-up is now here:
http://www.abuse.ch/?p=3499 .  Looks like there is a gameover3.php as
well.  I'm thinking we modify the existing gameover sigs to be
"/gameover" with a pcre to catch /gamover\d+\.php/Ui.

On Thu, Oct 6, 2011 at 9:19 AM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> On Oct 6, 2011, at 10:04 AM, Nathan wrote:
>
>> Awesome, you used my PCRE for Snort versions that don't support byte_extract!
>> I feel more special now and less dumb than before.
>>
>
> You're "special", no doubt about it! :)
>
>> #Snort 2.4
>> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
>> Communication 1"; dsize:72; pcre:"/^.{63}(.)\1{8}$/Bs";
>> classtype:trojan-activity; sid:2013739; rev:4;)
>>
>> /me does a happy dance because I got to use a PCRE with a back reference.
>>
>
> We're adding a negate for |00| in there, and adjusting the byte_extract version for suricata and snort 2.9. Update out shortly.
>
> Reports of falses on bittorrent traffic, which is likely mostly based on padding (00), so fixing up!
>
> Matt
>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list