Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Ebury SSH Rootkit

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 23 Feb 2014 13:12:54 +0000
We received permission to use the other rule from the author.  We're putting it through QA now.  We can't just take 
people's rules.  

--
Joel Esler
Sent from my iPhone


On Feb 22, 2014, at 14:48, "Y M" <snort () outlook com> wrote:

Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom:
 
http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
 
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; 
isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; 
reference:url,http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/; 
classtype:trojan-activity; sid:1000001; rev:1;)

 

Date: Mon, 17 Feb 2014 13:33:31 +0100
From: rmkml () yahoo fr
To: snort () outlook com; lukas.matt () sophos com
CC: snort-sigs () lists sourceforge net; rmkml () yahoo fr
Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit

Thx you for sharing,

I'm curious if this rootkit use always same dns transaction ID please ?

This sig fixed 0x120b (4619 dec)

Two comments:
- extra [] on [\x00]{6}
- extra | on [\x01|\x02|\x03]

Regards
@Rmkml


On Mon, 17 Feb 2014, Y M wrote:


I can't help with that :).
 
YM
 

____________________________________________________________________________________________________________________________________________________________________________________________________________________________
Date: Mon, 17 Feb 2014 11:35:52 +0100
From: lukas.matt () sophos com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit

Thanks YM!

But if I see that correctly there was no answer whether it will be included or not right (and when)?

Cheers,
Lukas

On 02/17/2014 11:30 AM, Y M wrote:
Hi Lukas,
 
This has been posted to the list 2 days ago :).
 
http://seclists.org/snort/2014/q1/364
 
YM
 

____________________________________________________________________________________________________________________________________________________________________________________________________________________________
Date: Mon, 17 Feb 2014 11:26:03 +0100
From: lukas.matt () sophos com
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Snort Ebury SSH Rootkit

Hi guys,

the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
Are you aware of that rule and when will it be included into the pattern-set.

https://www.cert-bund.de/ebury-faq

alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 
00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ 
classtype:trojan-activity; sid:10001; rev:1;)


Cheers,
Lukas


-- 
Lukas Matt
Deep Packet Inspection Researcher, RnD

tel: +49-721-25516-322, cell: +49-174-3440-555

Sophos Technology GmbH 
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany

SOPHOS Security made simple

---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk

------------------------------------------------------------------------------ Android apps run on BlackBerry 10 
Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly
Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. 
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit
http://blog.snort.org for the latest news about Snort!



-- 
Lukas Matt
Deep Packet Inspection Researcher, RnD

tel: +49-721-25516-322, cell: +49-174-3440-555

Sophos Technology GmbH 
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany

SOPHOS Security made simple

---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk



------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Attachment: smime.p7s
Description: 

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: