|
|
Re: Allaplw Trojan Sig: msg#00111security.ids.snort.bleedingsnort
I recommend adding icode:0; itype:8; to this rules so it narrows it down to echo requests coming from the HOME_NET alert icmp $HOME_NET any -> any any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep"; content:"Babcdefghijklmnopqrstuvwabcdefghi"; icode:0; itype:8; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; sid:2003292; rev:2;) Matt Jonkman wrote: > In sandboxing one, a couple of us have noticed that the ICMp from this > things sweeps has a unique payload. > > This is posted, please let me know if this ends up hitting on other > types of ICMP. > > alert icmp $HOME_NET any -> any any (msg:”BLEEDING-EDGE WORM Allaple > ICMP Sweep”; content:”Babcdefghijklmnopqrstuvwabcdefghi”; > classtype:trojan-activity; > reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; > sid:2003292; rev:1;) > > Matt > -- bob. Robert Grabowsky, CISSP | Ra Security Systems, Inc. | 908-698-4141 rgrabowsky-DfEsjWXG9N5OSnsfY10OVw@xxxxxxxxxxxxxxxx | GPG KeyID 0x7932C9E3 (pgp.mit.edu) |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: definition: 00111, Bamm Visscher |
|---|---|
| Next by Date: | Re: Allaplw Trojan Sig: 00111, Matt Jonkman |
| Previous by Thread: | Allaplw Trojan Sigi: 00111, Matt Jonkman |
| Next by Thread: | Re: Allaplw Trojan Sig: 00111, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |