Snort mailing list archives
Re: ZeroAccess Supernode
From: Carlos Pacho <cpacho () sourcefire com>
Date: Mon, 2 Jun 2014 10:41:39 -0400
Hi Andre, The new rule looks good. We are going to add it to the community ruleset. Thanks, Carlos Pacho Research Engineer, VRT Sourcefire, now part of Cisco cpacho () sourcefire com Sourcefire.com <http://www.sourcefire.com/> On Fri, May 30, 2014 at 11:59 AM, Andre DiMino <adimino () sempersecurus org> wrote:
$dayjob has been receiving reports that a few of our hosts are acting as ZeroAccess 'supernodes'. Since we have a bunch of ZeroAccess rules enabled, I was wondering why I didn't see them fire. It seems that rule sid:23493; rev:5 will fire on outbound traffic particular to this ZeroAccess incident, however it won't fire on the inbound traffic. alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url, www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23493; rev:5; ) So I tweaked the rule as follows to allow for the alerting on inbound ZeroAccess: alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"ZeroAccess Supernode Inbound Traffic"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity;) I need to tweak thresholding a bit, but overall it has been working well in my limited tests. Any thoughts or comments? -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ZeroAccess Supernode Andre DiMino (May 30)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 05)
- Re: ZeroAccess Supernode Joel Esler (jesler) (Jun 05)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)