[Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

Martin Holste mcholste at ...2420...
Thu Nov 3 12:04:13 EDT 2011

> Context Information Security has released a blog post on the Dark Comet RAT.  The article covers the reverse engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic on the wire.

Intel is always welcome on mailing lists, but advertising is not.
Your post here is walking a very fine line between the two.

> Signatures:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; reference:url,www.contextis.com/research/blog/darkcometrat/;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; reference:url,www.contextis.com/research/blog/darkcometrat/;)

These signatures are poor and have had better versions available for
free to the Snort community since June 21st via a separate
organization on a separate mailing list under sid 2013090.  I have no
problem with beginners posting sigs that need improvement, but if you
advertise for your company, you lose "beginner" status.

More information about the Snort-sigs mailing list