[Snort-sigs] Ginwin improvments?
ureleet at ...2420...
Fri May 26 06:15:03 EDT 2006
So we could write a follow up rule like:
alert tcp $HOME_NET -> $EXTERNAL_NET 80 (msg:"GINWIN Virus Post
attempt"; flow:to_server,stateless; content:"POST|20 2f
20|HTTP|2f|1|2e|1"; depth:15; content:"Host|3a|"; within:3; depth:5;
content:"scfzf.xicp.net"; distance:1; depth:14; sid:91919191; rev:1;)
And a second rule could be written to be similiar. Again, until (or
if VRT) puts one out, this may suffice.
I didn't used "established" in the flow because according to the pcap,
no session is established, would need further research to determine.
There may not be a good way to detect this before to infection.. IDS != AV
>On Friday 26 May 2006 08:47, Ureleet Ureleet wrote:
> > > I do not have a pcap for it. This was a preemptive signature based
> > > off of the virus info. Please not to write me asking for pcap
> > > anymore. If I had one, it would be given to the people at VRT.
> Here's a (sandnet-collected, so the IPs are not real) pcap of the DNS
> request and the initial HTTP post to one of the two hosts.
> -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/
More information about the Snort-sigs