Snort mailing list archives
Virut Botnet rule?
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Thu, 8 Jan 2009 14:50:27 -0700
Hi, Does anyone know if there is a rule that would detect the Virut botnet communications, either in the snort rules or ET rules? Unfortunately, I had some machines pick this up, spread via the MS08-067 vulnerability. I did write a rule to detect communication outbound to what I think is C&C servers (any communication from $HOME_NET to $EXTERNAL_NET:11830). Just wondering if there may have already been some rules I could have used. Also, I wanted to thank the list for their help! Snort & BASE happened to be our only method of finding these infections with our current toolset... Thanks, Shawn
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Virut Botnet rule? Jefferson, Shawn (Jan 08)
- Re: Virut Botnet rule? Matt Jonkman (Jan 08)
- Re: Virut Botnet rule? Jefferson, Shawn (Jan 09)
- Re: Virut Botnet rule? Matt Jonkman (Jan 09)
- Re: Virut Botnet rule? Jefferson, Shawn (Jan 09)
- Re: Virut Botnet rule? Matt Jonkman (Jan 08)