[Emerging-Sigs] Torpig Ping-Pong Keepalives

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 21 14:07:05 EDT 2011


Just about to push a fix for this as well. I relaxed the torpig sig too far yesterday so it's hitting normal IRC.

Droppingboth and revamping all of the irc sigs. Update out momentarily!

Matt


On Oct 21, 2011, at 2:02 PM, Packet Hack wrote:

> 2010824/ET TROJAN Torpig Ping-Pong Keepalives Outbound
> 2010825/ET TROJAN Torpig Ping-Pong Keepalives Inbound
> 
> Is this what I should be looking for?
> 
>  PING :3725369297
>  PONG :3725369297
>  PING :BE4795F4
>  PING :localhost
> 
> The rules seems like they'd trip a lot
> 
>  flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url...
> 
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list