[Snort-sigs] RxBot and IRC traffic

James Riden j.riden at ...1766...
Sun Dec 5 10:12:04 EST 2004


Hi there,

There's a couple of rules which pick up RxBot traffic at the moment -
e.g.

rules/bleeding-virus.rules:alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE RXBOT / RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; sid:2001220; rev: 1;)

rules/bleeding-virus.rules:alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE RXBOT / RBOT Vulnerability Scan";content:"|2E|advscan|20|"; nocase; classtype: trojan-activity; reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning; sid:2001184; rev: 1;)

rules/bleeding-virus.rules:alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE IRC Trojan Reporting (lsass)"; content:"PRIVMSG"; nocase; content:"lsass"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; sid:2001371; rev:1;)


We could add another to cover the following packet captures - 'scan'
comes up a little too often in IRC traffic, so it would nice to get
the more specific one in :

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase; content:"mssql"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; sid:? ; rev:1;)

Or maybe the rules could do with a little re-factoring by someone a
little better at this than me.

cheers,
 Jamie

#(3 - 401597) [2004-12-04 17:07:21.144] [snort/1000168]  Possible RogueIRC (Exploit)
IPv4: 130.123.xx.yyy -> 212.aaa.bbb.ccc
      hlen=5 TOS=0 dlen=91 ID=40714 flags=0 offset=0 TTL=128 chksum=23117
TCP:  port=1517 -> dport: 5003  flags=***AP*** seq=1959713347
      ack=886516511 off=5 res=0 win=63720 urp=0 chksum=28341
Payload:  length = 51

000 : 50 52 49 56 4D 53 47 20 23 72 65 6C 69 66 65 20   PRIVMSG #relife 
010 : 3A 6D 73 73 71 6C 3A 20 65 78 70 6C 6F 69 74 65   :mssql: exploite
020 : 64 20 28 31 33 30 2E 31 32 33 2E       2E         d (130.123.aa.bb
030 : 29 0D 0A                                          )..

------------------------------------------------------------------------------
#(3 - 401375) [2004-12-04 14:44:13.237] [snort/2001372]  BLEEDING-EDGE IRC Trojan Reporting (Scan)
IPv4: 130.123.xx.yy -> 212.aaa.bbb.ccc
      hlen=5 TOS=0 dlen=139 ID=45308 flags=0 offset=0 TTL=128 chksum=18555
TCP:  port=2582 -> dport: 5003  flags=***AP*** seq=841356361
      ack=879771124 off=5 res=0 win=16560 urp=0 chksum=18775
Payload:  length = 99

000 : 50 52 49 56 4D 53 47 20 23 72 65 6C 69 66 65 20   PRIVMSG #relife 
010 : 3A 73 63 61 6E 28 6D 73 73 71 6C 29 3A 20 72 61   :scan(mssql): ra
020 : 6E 64 6F 6D 20 70 6F 72 74 20 73 63 61 6E 20 31   ndom port scan 1
030 : 33 30 2E 78 2E 78 2E 78 3A 31 34 33 33 20 5B 64   30.x.x.x:1433 [d
040 : 65 6C 61 79 20 31 35 20 73 65 63 5D 20 5B 30 20   elay 15 sec] [0 
050 : 6D 69 6E 5D 20 5B 37 30 20 74 68 72 65 61 64 73   min] [70 threads
060 : 5D 0D 0A                                          ]..


-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list