|
Re: Sig on psyBNC IRCproxy: msg#00124security.ids.snort.bleedingsnort
Hey Reg, thanks for sending these over. There's one psybnc sig I'm aware of in the snort gpl ruleset: info.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC-e/Fy7hhKugOzQB+pC5nmwQ@xxxxxxxxxxxxxxxx"; classtype:bad-unknown; sid:493; rev:5;) It sucks though. It's probably disabled in every install on the planet. Yours are better. Let me digest them and post with references and such. You happen to have a pcap? I think we can probably go with high ports (>1024) for a dest. Do the regular IRC on off ports sigs hit on these? Seems like they would. I may be able to add these after those flowbits are set to control load. Matt Reg Quinton wrote: > Matt, we occassionally get compromises (often dumb passwords) where the > attacker installs the psyBNC IRC proxy -- often connected to undernet. > It's apparently pretty standard fair in the hacker community and a > method for the bad guys to communicate but hide their location. The > proxies we've seen has a welcome banner like this: > > :Welcome!psyBNC-e/Fy7hhKugOzQB+pC5nmwQ@xxxxxxxxxxxxxxxx NOTICE * :psyBNC2.3.1 > > We have a couple of sigs we use to detect that. You might want to > include one, both, or perhaps some variation of your choosing: > > # Watch for psyBNC servers > > alert tcp $HOME_NET any -> any any (msg:"BLEEDING-UW Suspicious Welcome > Banner o > n Local Port"; flow:from_server,established; content:"\:Welcome!"; > offset:0; dep > th:9; tag:session, 20, packets; classtype:non-standard-protocol; > sid:99990017;) > > # Watch for lam3rz.de servers > > alert tcp $HOME_NET any -> any any (msg:"BLEEDING-UW lam3rze Banner on > Local Por > t"; flow:from_server,established; content:"lam3rz"; offset:0; depth:80; > tag:sess > ion, 20, packets; classtype:non-standard-protocol;sid:99990023; rev:2;) > > I suspect that the "lam3rz" tag is just one gang of bad guys (or perhaps > a reference to the lame security were user "test" has password "test").I > think the "Welcome" and "psyBNC" strings in the banner are enough. > > For a reference we point people to this local document > > http://ist.uwaterloo.ca/security/vulnerable/20050705.shtml > > But you might reference any of these instead (a quick google finds many, > it's really old news but still happens): > > http://www.honeynet.org/papers/phishing/details/de-detailed.html > http://www.infosecwriters.com/texts.php?op=display&id=84 > http://www.ufsdump.org/labs/unix-forensics.html > http://ieeexplore.ieee.org/iel5/8013/27717/01236244.pdf?arnumber=1236244 -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5): 00124, Matt Jonkman |
|---|---|
| Next by Date: | Re: Re: Sig on psyBNC IRCproxy: 00124, Matt Jonkman |
| Previous by Thread: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5)i: 00124, Matt Jonkman |
| Next by Thread: | Re: Re: Sig on psyBNC IRCproxy: 00124, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |