|
|
Re: Malware zero day thingy: msg#00168security.ids.snort.sigs
Brian Howard <drivah@xxxxxxxxxxxxx> writes: > anybody got a good sig at this point? > I am thinking something like simply going for any attempt to store payload > at something like "C:\WIN"? Lots of false+ on micro$oft updates perhaps? > What is the collective wisdom at this point? I stole these from somewhere, and don't seem to have attributed them - although I'm deeply grateful to the original author. If they fire you'll probably see stuff like "lsass[445] exploited <IP address>" being sent to an IRC server. First, block the IRC server at the firewall and then go on clean-up duty - turned out to be a new RxBot variant. cheers, Jamie alert tcp $HOME_NET !21:443 -> any !80 (content:"PRIVMSG"; nocase:; content:"Exploit"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC (Exploit)"; classtype:trojan-activity; sid:1000168; rev:6;) alert tcp $HOME_NET !21:443 -> any !80 (content:"PRIVMSG"; nocase:; content:"lsass"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC (lsass)"; classtype:trojan-activity; sid:1000168; rev:6;) alert tcp $HOME_NET !21:443 -> any !80 (content:"PRIVMSG"; nocase:; content:"Scan"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC (Scan)"; classtype:trojan-activity; sid:1000168; rev:6;) alert tcp $HOME_NET !21:443 -> any !80 (content:"PRIVMSG"; nocase:; content:"zombie"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC (zombie)"; classtype:trojan-activity; sid:1000168; rev:6;) -- James Riden / j.riden@xxxxxxxxxxxx / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Rules utilisation: 00168, Jason |
|---|---|
| Next by Date: | Bleedingsnort.com Daily Update: 00168, matt |
| Previous by Thread: | Malware zero day thingyi: 00168, Brian Howard |
| Next by Thread: | Arachnids IDS181 and interesting false positive: 00168, James Lay |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |