[Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

JJ Cummings cummingsj at ...2420...
Thu Nov 3 12:26:08 EDT 2011


These rules are very very very bad, and are missing a foundational item that every pcre rule should have, a basic content match.

Sent from the iRoad

On Nov 3, 2011, at 10:04, Martin Holste <mcholste at ...2420...> wrote:

>> Context Information Security has released a blog post on the Dark Comet RAT.  The article covers the reverse engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic on the wire.
>> 
> 
> Intel is always welcome on mailing lists, but advertising is not.
> Your post here is walking a very fine line between the two.
> 
>> 
>> Signatures:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; reference:url,www.contextis.com/research/blog/darkcometrat/;)
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; reference:url,www.contextis.com/research/blog/darkcometrat/;)
>> 
> 
> These signatures are poor and have had better versions available for
> free to the Snort community since June 21st via a separate
> organization on a separate mailing list under sid 2013090.  I have no
> problem with beginners posting sigs that need improvement, but if you
> advertise for your company, you lose "beginner" status.
> 
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list