[Snort-sigs] iroffer IRC P2P Bot signatures

Matthew Jonkman matt at ...2436...
Tue Jun 29 19:03:09 EDT 2004


Cool, thanks for the advice. Isn't my rule, but I'll apply the changes. 
These are up on bleeding as well.

alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P 
iroffer IRC Bot help message"; content:"|54 6F 20 72 65 71 75 65 73 74 
20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth:500; 
flow:from_server,established classtype:trojan-activity; sid:2000338; rev:1;)

alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P 
iroffer IRC Bot offered files advertisement"; content:"|54 6F 74 61 6C 
20 4F 66 66 65 72 65 64 3A|"; depth:500; flow:from_server,established 
classtype:trojan-activity; sid:2000339; rev:1;)

Thanks for the advice Nigel. And thanks to kevin for making the original 
rules.

Matt

Nigel Houghton wrote:

> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> 
>>So would these be accurate rules then Matt W:
>>
>>alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help message"; 
>>content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 
>>65 3A 20 22 2F 6D 73 67|"; depth:500; classtype: trojan-activity; 
>>sid:20046250;priority:1; flags:PA;)
> 
> 
> Use the $HOME_NET and $EXTERNAL_NET variables along with flow instead of
> flags. Don't use priority, let the classtype decide that. Also include a
> reference the user can use to get more pertinent information on the issue.
> 
> 
>>alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files 
>>advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; 
>>depth:500; classtype: trojan-activity; sid:20046251; priority:1; flags:PA;)
> 
> 
> same.
> 
> -------------------------------------------------------------
> Nigel Houghton       Research Engineer        Sourcefire Inc.
>                  Vulnerability Research Team
> 
> "Dude, dolphins are intelligent and friendly!" -- Wendy
> "Intelligent and friendly on rye bread, with some mayonaise." -- Cartman
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list