[Snort-sigs] More on RxBot and IRC traffic

James Riden j.riden at ...1766...
Fri Jan 21 16:48:02 EST 2005


James Riden <j.riden at ...1766...> writes:

> Tom Fischer <Tom.Fischer at ...2966...> writes:
>
>> Hi,
>>
>> On Sat, Jan 15, 2005 at 02:23:01PM +1300, James Riden wrote:
>>> I found an interesting web page
>>> http://cert.uni-stuttgart.de/doc/netsec/bots.php which lists some
>>> signatures for IRC communications from Agobot/Phatbot/RxBot.
>
> Correction, sorry - according to LURHQ, phatbot actually uses a P2P
> system rather than IRC for communication -
> http://www.lurhq.com/phatbot.html - also gives some snort sigs for the
> P2P control and for phatbot infection.

Duh; the LURHQ ones are already included in bleeding-virus.rules. 

-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list