Snort mailing list archives
Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures
From: Bad Horse <b4dh0rs3 () gmail com>
Date: Thu, 3 Nov 2011 12:27:11 -0500
Martin, Thank you for saying this. I was really trying to be nice here but apparently I did not perform due diligence enough to see that the Emerging Threats (http://www.emergingthreats.net) community has this already covered. I won't nit-pick the poor quality of the rules suggested by disclosure () contextis co uk but let's just say it reminds me of VRT new-hires (just kidding VRT .. mostly :) But seriously, I applaud the Emerging Threats community for once again being ahead of the threat and beating out competition like Sourcefire VRT, ISS X-Force, TippingPoint "Digital Doctors", McAfee "I really need a job so I'll take this one" group, Symantec "meh, just pay us" team, Checkpoint "you can't be sure but we don't block on the Sabbath", and others. -Bad Horse The Thoroughbred of SYN On 11/3/11, Martin Holste <mcholste () gmail com> wrote:
Context Information Security has released a blog post on the Dark Comet RAT. The article covers the reverse engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic on the wire.Intel is always welcome on mailing lists, but advertising is not. Your post here is walking a very fine line between the two.Signatures: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; reference:url,www.contextis.com/research/blog/darkcometrat/;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; reference:url,www.contextis.com/research/blog/darkcometrat/;)These signatures are poor and have had better versions available for free to the Snort community since June 21st via a separate organization on a separate mailing list under sid 2013090. I have no problem with beginners posting sigs that need improvement, but if you advertise for your company, you lose "beginner" status. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Context IS - Disclosure (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Bad Horse (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Martin Holste (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures JJ Cummings (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Bad Horse (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Context IS - Disclosure (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Jamie Riden (Nov 03)
- Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures Martin Holste (Nov 03)