[Emerging-Sigs] Strange UDP Trojan check-in

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 06:19:18 EDT 2011


Thanks Martin. Pedro's posting.

Matt


On Oct 10, 2011, at 8:12 PM, Martin Holste wrote:

> What I consider the "official" write-up is now here:
> http://www.abuse.ch/?p=3499 .  Looks like there is a gameover3.php as
> well.  I'm thinking we modify the existing gameover sigs to be
> "/gameover" with a pcre to catch /gamover\d+\.php/Ui.
> 
> On Thu, Oct 6, 2011 at 9:19 AM, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
>> On Oct 6, 2011, at 10:04 AM, Nathan wrote:
>> 
>>> Awesome, you used my PCRE for Snort versions that don't support byte_extract!
>>> I feel more special now and less dumb than before.
>>> 
>> 
>> You're "special", no doubt about it! :)
>> 
>>> #Snort 2.4
>>> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
>>> Communication 1"; dsize:72; pcre:"/^.{63}(.)\1{8}$/Bs";
>>> classtype:trojan-activity; sid:2013739; rev:4;)
>>> 
>>> /me does a happy dance because I got to use a PCRE with a back reference.
>>> 
>> 
>> We're adding a negate for |00| in there, and adjusting the byte_extract version for suricata and snort 2.9. Update out shortly.
>> 
>> Reports of falses on bittorrent traffic, which is likely mostly based on padding (00), so fixing up!
>> 
>> Matt
>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
>> 
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/a927668b/smime-0001.bin


More information about the Emerging-sigs mailing list