[Emerging-Sigs] Kelihos p2p sig

Joel Esler jesler at sourcefire.com
Mon Dec 10 13:15:43 HAST 2012


This will run on every single packet that goes through the system.  That's why it's intensive. Can you explain your matches?

--
Joel Esler
Sent from my iPad 

On Dec 10, 2012, at 5:21 PM, "harry.tuttle" <harry.tuttle at zoho.com> wrote:

> I came up with the following from samples provided by abuse.ch. Their blog post on the subject: http://www.abuse.ch/?p=4878
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos p2p traffic detected via byte_test"; flow:established,to_server; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn; rev:1;)
> 
> It's not the best performer, but there are worse rules in the set. It definitely falses without at least one negation, but we might not need all three. Likewise, we may not need all five positive matches. Let me know what you all think.
> 
> PCAPs are on anubis:
> http://anubis.iseclab.org/?action=result&task_id=169229bb0f9f35a2481b61b009bec78a2
> http://anubis.iseclab.org/?action=result&task_id=16c11de16e343f10491dafb827b7cebe5
> 
> Regards,
> Harry
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list