[Emerging-Sigs] Kelihos p2p sig

harry.tuttle harry.tuttle at zoho.com
Mon Dec 10 12:21:37 HAST 2012


I came up with the following from samples provided by abuse.ch. Their blog post on the subject: http://www.abuse.ch/?p=4878

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos p2p traffic detected via byte_test"; flow:established,to_server; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn; rev:1;)

It's not the best performer, but there are worse rules in the set. It definitely falses without at least one negation, but we might not need all three. Likewise, we may not need all five positive matches. Let me know what you all think.

PCAPs are on anubis:
http://anubis.iseclab.org/?action=result&task_id=169229bb0f9f35a2481b61b009bec78a2
http://anubis.iseclab.org/?action=result&task_id=16c11de16e343f10491dafb827b7cebe5

Regards,
Harry



More information about the Emerging-sigs mailing list