Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

[Bad Horse <b4dh0rs3 () gmail com>]

Martin,

Thank you for saying this.  I was really trying to be nice here but
apparently I did not perform due diligence enough to see that the
Emerging Threats (http://www.emergingthreats.net) community has this
already covered.  I won't nit-pick the poor quality of the rules
suggested by disclosure () contextis co uk but let's just say it reminds
me of VRT new-hires (just kidding VRT .. mostly :)

But seriously, I applaud the Emerging Threats community for once again
being ahead of the threat and beating out competition like Sourcefire
VRT, ISS X-Force, TippingPoint "Digital Doctors", McAfee "I really
need a job so I'll take this one" group, Symantec "meh, just pay us"
team, Checkpoint "you can't be sure but we don't block on the
Sabbath", and others.

-Bad Horse
 The Thoroughbred of SYN

On 11/3/11, Martin Holste <mcholste () gmail com> wrote:
> > Context Information Security has released a blog post on the Dark Comet
> > RAT.  The article covers the reverse engineering and analysis of its
> > functionality, how to decrypt its traffic and snort signatures to detect
> > its traffic on the wire.
>
> Intel is always welcome on mailing lists, but advertising is not.
> Your post here is walking a very fine line between the two.
>
> > Signatures:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature:
> > DarkComet-RAT Incoming Keepalive"; flow:from_server,established;
> > pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2;
> > reference:url,www.contextis.com/research/blog/darkcometrat/;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature:
> > DarkComet-RAT Outgoing Keepalive"; flow:to_server,established;
> > pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1;
> > reference:url,www.contextis.com/research/blog/darkcometrat/;)
>
> These signatures are poor and have had better versions available for
> free to the Snort community since June 21st via a separate
> organization on a separate mailing list under sid 2013090.  I have no
> problem with beginners posting sigs that need improvement, but if you
> advertise for your company, you lose "beginner" status.
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!