[Snort-sigs] Coverage for the "Night Dragon" Trojan

Matt Olney molney at ...435...
Thu Feb 10 15:27:41 EST 2011


Hey ET folks who are here...

If you guys could pass on this information:

The rules provided won't fire on Night Dragon C&C traffic..  The offset:66
is calculated from the beginning of the Layer 2 portion of the packet.  The
data portion (what Snort looks at) starts at offset 54.  The correct offset
for the rule should be 12.  Also, you probably want to add a depth:
qualifier of 3 bytes so you don't false positive further down the packet.

Don't normally check in on you guys, but this was important enough to check.

Matt

On Thu, Feb 10, 2011 at 2:47 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/10/11 13:41, Joel Esler wrote:
> > Registered users will have the normal 30 day wait.
>
> Joel, I think this is ok to post here...
>
> Those who are looking for coverage who are not VRT subscribers they're in
> Emerging-Threats (http://www.emergingthreats.net).
>
> There's an ongoing discussion here regarding several signatures which have
> been
> proposed for inclusion, see
>
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
>
> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
> simple/normal community participant there.
>
> - --
> It has been said that "hate" is a powerful emotion, perhaps that's why I'm
> so
> strong.
>
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
> 1sA7AJfGJLvnEdRHpwbi
> =3lHv
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110210/d388694b/attachment.html>


More information about the Snort-sigs mailing list