Snort mailing list archives
Re: Snort Ebury SSH Rootkit
From: rmkml <rmkml () yahoo fr>
Date: Mon, 17 Feb 2014 13:33:31 +0100 (CET)
Thx you for sharing,
I'm curious if this rootkit use always same dns transaction ID please ?
This sig fixed 0x120b (4619 dec)
Two comments:
- extra [] on [\x00]{6}
- extra | on [\x01|\x02|\x03]
Regards
@Rmkml
On Mon, 17 Feb 2014, Y M wrote:
I can't help with that :). YM ____________________________________________________________________________________________________________________________________________________________________________________________________________________________ Date: Mon, 17 Feb 2014 11:35:52 +0100 From: lukas.matt () sophos com To: snort () outlook com CC: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit Thanks YM! But if I see that correctly there was no answer whether it will be included or not right (and when)? Cheers, Lukas On 02/17/2014 11:30 AM, Y M wrote: Hi Lukas, This has been posted to the list 2 days ago :). http://seclists.org/snort/2014/q1/364 YM ____________________________________________________________________________________________________________________________________________________________________________________________________________________________ Date: Mon, 17 Feb 2014 11:26:03 +0100 From: lukas.matt () sophos com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] Snort Ebury SSH Rootkit Hi guys, the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit. Are you aware of that rule and when will it be included into the pattern-set. https://www.cert-bund.de/ebury-faq alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\ (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;) Cheers, Lukas -- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, GermanySOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, GermanySOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 22)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit Joel Esler (jesler) (Feb 23)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)