[Snort-sigs] More on RxBot and IRC traffic

Matt Jonkman matt at ...2436...
Fri Jan 14 21:35:01 EST 2005


Those look very nice. Posted, lets give them a spin and see.

Thanks

Matt

James Riden wrote:

>Hi there, 
>
>I found an interesting web page
>http://cert.uni-stuttgart.de/doc/netsec/bots.php which lists some
>signatures for IRC communications from Agobot/Phatbot/RxBot.
>
>(You can get google to translate from the German, but the signatures
>don't survive too well, so make to look at them in the original.)
>
><quote>
># localscan (?)
># (ntscan|ntstop|gigaload) (?)
># {http|ftp}\.execute (Agobot/Phatbot)
># bot\.(command|execute|flushdns) (Agobot/Phatbot)
># redirect ([0-9]{1,4}) (SpYboT)
># redirect\.(gre|http|https|socks|socks5|stop|tcp) (Agobot/Phatbot)
># scan\.((start|stop)(all)?|stats|(dis|en)able|(clear|reset|list|del|add)netrange) (Agobot/Phatbot)
># {syn|udp} ([0-9]{1,3}\.){3}[0-9]{1,3} (SDBot)
># ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3) (Agobot/Phatbot)
># !scan ([0-9]{1,3}\.) (GTBot)
># (advscan|asc|xscan|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp) (rBot/rxBot)
># (advscan|asc|xscan|adv\.start) (beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc) (rBot/rxBot)
># ddos\.(syn|ack|random) (rBot/rxBot)
></quote>
>
>So, to make SID 2001584 a bit more comprehensive, I think we could do:
>
>alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:1;)
>
>And to cover the DDoS sigs:
>
>alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting/Commencing DDoS"; content:"PRIVMSG"; nocase; pcre:"ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3|syn|ack|random)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001586; rev:1;)
>
>NB: This is the first time I've written pcre, so feedback is most welcome.
>
>I've also seen variations which are (should be :) covered in the first
>sig which the web page sigs don't cover - e.g. packets starting
>"PRIVMSG #channel:scan(lsass): random scan"... - which is why it's
>slightly different.
>
>cheers,
> Jamie
>  
>

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential 
and intended solely for the intended recipient. Any use, 
distribution, transmittal or retransmittal of information 
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.  
If you are not the intended recipient, please contact the sender 
and delete all copies.





More information about the Snort-sigs mailing list