Snort mailing list archives
Re: [Snort-users] Vbs rat threat rules
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 28 Jan 2014 12:46:41 -0500
On 1/28/2014 12:07 PM, Feroz Basir wrote:
Hi, Thanks for replying. My packet go through a proxy and snort is between 2 proxies. I've just learned that this proxy might change or encapsulate the packet. I'm trying to monitor vbs rat threat that making connection from the inside to outside world via various port numbers and hostname. I have the rule but it didn't work. So I thought vrt could have a special rule for this.
as noted, there are numerous RAT oriented rules... /which/ specific RAT are you looking for? what do you mean with the term "vbs"?? to many people, that means "Visual BaSic"...
Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat" content:"Host|3A|"; nocase; http_header; content:"some.website.net <http://some.website.net>"; nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;)
since your snort is sitting between two proxies and there is the possibility that the traffic may be encapsulated, have you tried capturing the traffic directly as it passes? you can use tcpdump to capture to a pcap and then review the traffic to see what format it is taking... are both proxies in your $home_net or is the external proxy outside your defined $home_net? if it is within your $home_net, your rule will not detect it in some cases... these cases will depend on what you have defined for each... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Vbs rat threat rules Feroz Basir (Jan 23)
- <Possible follow-ups>
- Vbs rat threat rules Feroz Basir (Jan 25)
- Re: Vbs rat threat rules Feroz Basir (Jan 27)
- Re: Vbs rat threat rules Joel Esler (jesler) (Jan 27)
- Re: Vbs rat threat rules Feroz Basir (Jan 28)
- Re: [Snort-users] Vbs rat threat rules waldo kitty (Jan 28)
- Re: Vbs rat threat rules Kevin Ross (Jan 28)
- Re: Vbs rat threat rules Feroz Basir (Jan 27)