[Snort-sigs] Coverage for the "Night Dragon" Trojan

Mike Cox mike.cox52 at ...2420...
Thu Feb 10 16:01:51 EST 2011


Hmmm ... this sounds like the sig I proposed to Emerging Threats  this
morning but got no feedback on.

Sourcefire, please let me know where to send the bill.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";
offset:12; depth:4; http_body;
pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";
classtype:trojan-activity;
reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf;
sid:2011213456;)

-Mike Cox

On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney at ...435...> wrote:
> Hey ET folks who are here...
> If you guys could pass on this information:
> The rules provided won't fire on Night Dragon C&C traffic..  The offset:66
> is calculated from the beginning of the Layer 2 portion of the packet.  The
> data portion (what Snort looks at) starts at offset 54.  The correct offset
> for the rule should be 12.  Also, you probably want to add a depth:
> qualifier of 3 bytes so you don't false positive further down the packet.
> Don't normally check in on you guys, but this was important enough to check.
>
> Matt
> On Thu, Feb 10, 2011 at 2:47 PM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/10/11 13:41, Joel Esler wrote:
>> > Registered users will have the normal 30 day wait.
>>
>> Joel, I think this is ok to post here...
>>
>> Those who are looking for coverage who are not VRT subscribers they're in
>> Emerging-Threats (http://www.emergingthreats.net).
>>
>> There's an ongoing discussion here regarding several signatures which have
>> been
>> proposed for inclusion, see
>>
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
>>
>> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
>> simple/normal community participant there.
>>
>> - --
>> It has been said that "hate" is a powerful emotion, perhaps that's why I'm
>> so
>> strong.
>>
>> - -evilghost
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
>> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
>> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
>> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
>> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
>> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
>> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
>> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
>> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
>> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
>> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
>> 1sA7AJfGJLvnEdRHpwbi
>> =3lHv
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>




More information about the Snort-sigs mailing list