Snort mailing list archives
Re: no documentation about some rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 29 Aug 2014 12:43:03 +0000
On Aug 29, 2014, at 5:21 AM, Maurizio Di Pietro (Esterna) <m.dipietro () resi it> wrote:
I looking for on virustotal also, for example the event 23493 (Win.trojan.zeroAccess) but I’d like understand why the rule searches the 4 bytes (28,94,8d,ab) from fifth to eighth byte I didn’t understand the rule. Does the malware contact the C&C by UDP on port 16464 and send these bytes?
Yes. 16464 is just one of the four ports that Zeroaccess communicates with it’s P2P network on: [16464,16465,16470,16471]
Why?
It’s an XOR’ed “getL” command, the command to update it’s internal P2P list. The value is static.
What does it work? This is very important to understand if is a false positive
We’ve never seen a false positive from Zeroaccess rules. If you have a machine in HOME_NET that is exhibiting this traffic, you’re infected. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 29)
- R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
- Re: no documentation about some rules Jamie Riden (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- Re: no documentation about some rules Jamie Riden (Aug 29)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)