Re: experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin"

["McCrary, Barbara" <bmccrary () OGSLP ORG>]

This thing sends out an email to it's owner with stats and such. 


Note:  This communication and attachments, if any, are intended solely
for the use of the addressee hereof.  In addition, this information and
attachments, if any, may contain information that is confidential,
privileged and exempt from disclosure under applicable law.  If you are
not the intended recipient of this information, you are prohibited from
reading, disclosing, reproducing, distributing, disseminating, or
otherwise using this information.  If you have received this message in
error, please promptly notify the sender and immediately, delete this
communication from your system.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Sunday, May 17, 2009 9:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] experience with snort sig :"ET TROJAN Dropper-497
(Yumato) Initial Checkin"

Anyone have any feeling for how reliable this one is?   Sig picks up  
packets dsize:5; content:"|30 30 30 0d 0a|" i.e. packets with exactly
5 characters "000<cr><lf>".

We got a couple of hits on it last night to a machine on a broadband
network in China.  I've asked someone to have a look at the box but
thought I'd ask if anyone had any experience with this rule.

Russell