Snort mailing list archives
Re: Nettraveler sig
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Jun 2013 19:18:19 -0400
James, You are going to love this one.. I got the samples and ran them through our sandbox, captured the pcaps, ran them against Snort, etc. We already catch this, so I'm thinking, no problem, I'll move the rule into the community ruleset. I go to edit the rule, and it's already in the community ruleset. ORLY? I said to myself, who wrote it? Looked in the AUTHORS file (in the community tarball) and guess who wrote it? You. Congrats. 26656 -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jun 4, 2013, at 6:39 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2013-06-04 15:52, James Lay wrote:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nettraveler C2 Control Loop"; flow:to_server,established; content:"nettraveler.asp|3f|action="; http_uri; ; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:trojan-activity; sid:10000073; rev:1;) Nice writeup in that PDF. James ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!And fixed (extraneous ; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nettraveler C2 Control Loop"; flow:to_server,established; content:"nettraveler.asp|3f|action="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:trojan-activity; sid:10000073; rev:2;) James ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Nettraveler sig James Lay (Jun 04)
- Re: Nettraveler sig James Lay (Jun 04)
- Re: Nettraveler sig Joel Esler (Jun 04)
- Re: Nettraveler sig Joel Esler (Jun 04)
- Re: Nettraveler sig James Lay (Jun 04)
- Re: Nettraveler sig James Lay (Jun 04)