Snort mailing list archives
Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures
From: JJ Cummings <cummingsj () gmail com>
Date: Thu, 3 Nov 2011 10:26:08 -0600
These rules are very very very bad, and are missing a foundational item that every pcre rule should have, a basic content match. Sent from the iRoad On Nov 3, 2011, at 10:04, Martin Holste <mcholste () gmail com> wrote:
Context Information Security has released a blog post on the Dark Comet RAT. The article covers the reverse engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic on the wire.Intel is always welcome on mailing lists, but advertising is not. Your post here is walking a very fine line between the two.Signatures: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; reference:url,www.contextis.com/research/blog/darkcometrat/;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; reference:url,www.contextis.com/research/blog/darkcometrat/;)These signatures are poor and have had better versions available for free to the Snort community since June 21st via a separate organization on a separate mailing list under sid 2013090. I have no problem with beginners posting sigs that need improvement, but if you advertise for your company, you lose "beginner" status. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Context IS - Disclosure (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Bad Horse (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Martin Holste (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures JJ Cummings (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Bad Horse (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Context IS - Disclosure (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Jamie Riden (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Martin Holste (Nov 03)