[Emerging-Sigs] Kelihos p2p sig
jesler at sourcefire.com
Mon Dec 10 13:15:43 HAST 2012
This will run on every single packet that goes through the system. That's why it's intensive. Can you explain your matches?
Sent from my iPad
On Dec 10, 2012, at 5:21 PM, "harry.tuttle" <harry.tuttle at zoho.com> wrote:
> I came up with the following from samples provided by abuse.ch. Their blog post on the subject: http://www.abuse.ch/?p=4878
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos p2p traffic detected via byte_test"; flow:established,to_server; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn; rev:1;)
> It's not the best performer, but there are worse rules in the set. It definitely falses without at least one negation, but we might not need all three. Likewise, we may not need all five positive matches. Let me know what you all think.
> PCAPs are on anubis:
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs