|
|
Re: Stormy P2P bot Sigs: msg#00137security.ids.snort.bleedingsnort
Finding more detail, this does indeed look like edonkey traffic on an unusual port. I'm working on making better sigs, and might pull these shortly. If anyone is interested here are the references I'm looking at: http://www.giac.org/certified_professionals/practicals/gcih/0446.php ftp://ftp.kom.e-technik.tu-darmstadt.de/pub/papers/HB02-1-paper.pdf We may just need to redo the existing edonkey sigs, which look only at ports 4660:4799. This trojan runs with a source port of 7871, which is rather unusual... Any edonkey experts out there? Matt Matt Jonkman wrote: > Have these posted, regarding the Stormy bot. It’s email borne primarily. > > The only thing I found among several variants that was common was that > each packet starts with |e3|, and ends in |bf 1e 00| for outbound > packets. And there are some kind of status or ack packets back from > outside hosts that’s just an |e3 0d|. Everything starts with e3 though, > and the second byte is generally 0a-0f. > > Hopefully we’ll update these as we learn more. > > #Matt Jonkman > alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 > (msg:”BLEEDING-EDGE TROJAN Stormy P2P bot C&C Seek Traffic Outbound”; > dsize:>18; content:”|e3|”; depth:1; content:”|bf 1e 00|”; offset:5; > classtype:trojan-activity; sid:2003299; rev:1;) > alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 > (msg:”BLEEDING-EDGE TROJAN Stormy P2P bot C&C Reply Traffic Inbound”; > dsize:2; content:”|e3 0d|”; classtype:trojan-activity; sid:2003300; rev:1;) > alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 > (msg:”BLEEDING-EDGE TROJAN Stormy P2P bot C&C Data Traffic Inbound”; > dsize:>400; content:”|e3 0b 14 00|”; classtype:trojan-activity; > sid:2003301; rev:1;) > > It appears to be an edonley or emule protocol, but don't have a reliable > enough protocol ref handy to know for sure yet. If someone recognizes > the pattern please let me know. > > Matt > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: New sig for unknown bot: 00137, Matt Jonkman |
|---|---|
| Next by Date: | RE: New sig for unknown bot: 00137, Raitz, Alex |
| Previous by Thread: | Stormy P2P bot Sigsi: 00137, Matt Jonkman |
| Next by Thread: | Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00137, Russell Fulton |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |