Educause Security Discussion mailing list archives
Re: experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin"
From: "McCrary, Barbara" <bmccrary () OGSLP ORG>
Date: Mon, 18 May 2009 10:08:49 -0500
This thing sends out an email to it's owner with stats and such. Note: This communication and attachments, if any, are intended solely for the use of the addressee hereof. In addition, this information and attachments, if any, may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this information, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this information. If you have received this message in error, please promptly notify the sender and immediately, delete this communication from your system. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton Sent: Sunday, May 17, 2009 9:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin" Anyone have any feeling for how reliable this one is? Sig picks up packets dsize:5; content:"|30 30 30 0d 0a|" i.e. packets with exactly 5 characters "000<cr><lf>". We got a couple of hits on it last night to a machine on a broadband network in China. I've asked someone to have a look at the box but thought I'd ask if anyone had any experience with this rule. Russell
Current thread:
- experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin" Russell Fulton (May 17)
- <Possible follow-ups>
- Re: experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin" McCrary, Barbara (May 18)