[Snort-sigs] Phatbot signatures

Joe Stewart jstewart at ...5...
Mon Mar 15 12:01:10 EST 2004

Here are a couple of signatures to detect Phatbot activity on a network:

alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; 
flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 
0d 0a|"; dsize:40; classtype:trojan-activity; 
reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)

alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; 
flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; 
classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; 
sid:1000076; rev:1;)


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list