Snort mailing list archives
Linux Fokirtor Backdoor
From: Y M <snort () outlook com>
Date: Tue, 19 Nov 2013 20:43:51 +0000
I would imagine that the pcre may be not required or even not right. Not much data to work with. Any second look at this can help. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"MALWARE-BACKDOOR Linux.Trojan.Fokirtor inbound command attempt"; flow:to_server,established; content:"|3A 21 3B 2E|"; fast_pattern:only; pcre:"/\x3a\x21\x3b\x2e[A-Z0-9]{10,}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssh; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:100112;) Thanks.YM
------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Linux Fokirtor Backdoor Y M (Nov 19)