[Snort-sigs] Night Dragon

Matthew Jonkman jonkman at ...3525...
Thu Feb 10 23:22:23 EST 2011

FYI, we also just added 2 new sigs for the Night Dragon thing:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; depth:5; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; sid:2012308; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; sid:2012307; rev:1;)

The ones you should soil yourself when you see them hitting on your net. :)

Recommend everyone push them, regardless of the ruleset you run!


Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-sigs mailing list