[Snort-sigs] More on RxBot and IRC traffic

Tom Fischer Tom.Fischer at ...2966...
Fri Jan 21 04:58:25 EST 2005


On Sat, Jan 15, 2005 at 02:23:01PM +1300, James Riden wrote:
> I found an interesting web page
> http://cert.uni-stuttgart.de/doc/netsec/bots.php which lists some
> signatures for IRC communications from Agobot/Phatbot/RxBot.

yep :-) btw. I've added some new signatures to the mentioned web page
(tcp|syn|udp|ack|ping|icmp)flood ([0-9]{1,3}\.){3}[0-9]{1,3}
or advscan dcass (combination of lsass and dcom scanning method)
> (You can get google to translate from the German, but the signatures
> don't survive too well, so make to look at them in the original.)

need for a English version of this page?

If those rules produce to many false positives it would be an option to
add additional parameters like
advscan lsass [0-9]{1,4} [0-9]{1,4} [0-9]{1,4}
(cause the syntax is advscan <method> <threads> <delay> <length>,
e.g. advscan lsass 100 5 0)

Tom Fischer
RUS-CERT University of Stuttgart
Breitscheidstr. 2, D-70174 Stuttgart     http://cert.uni-stuttgart.de/

More information about the Snort-sigs mailing list