[Emerging-Sigs] Torpig Ping-Pong Keepalives

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 21 14:07:05 EDT 2011

Just about to push a fix for this as well. I relaxed the torpig sig too far yesterday so it's hitting normal IRC.

Droppingboth and revamping all of the irc sigs. Update out momentarily!


On Oct 21, 2011, at 2:02 PM, Packet Hack wrote:

> 2010824/ET TROJAN Torpig Ping-Pong Keepalives Outbound
> 2010825/ET TROJAN Torpig Ping-Pong Keepalives Inbound
> Is this what I should be looking for?
>  PING :3725369297
>  PONG :3725369297
>  PING :BE4795F4
>  PING :localhost
> The rules seems like they'd trip a lot
>  flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url...
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list