[Emerging-Sigs] W32.Duqu

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 19 17:20:09 EDT 2011


Yup, posting something similar. There's a lot more info and we have samples to dig through, but we'll get this up for today's ruleset, and get more in depth for tomorrows.

Thanks Chris!

Matt


On Oct 19, 2011, at 5:08 PM, Christopher Granger wrote:

> Hi Emerging Threats,
> 
> What do you think about this to detect Duqu's UA?
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”; http_header; fast_pattern:only; reference:url,http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> 
> Thank you,
> -Chris
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list