[Emerging-Sigs] Kelihos p2p sig

harry.tuttle harry.tuttle at zoho.com
Mon Dec 10 12:21:37 HAST 2012

I came up with the following from samples provided by abuse.ch. Their blog post on the subject: http://www.abuse.ch/?p=4878

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos p2p traffic detected via byte_test"; flow:established,to_server; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn; rev:1;)

It's not the best performer, but there are worse rules in the set. It definitely falses without at least one negation, but we might not need all three. Likewise, we may not need all five positive matches. Let me know what you all think.

PCAPs are on anubis:


More information about the Emerging-sigs mailing list