[Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

Bad Horse b4dh0rs3 at ...2420...
Thu Nov 3 13:27:11 EDT 2011


Thank you for saying this.  I was really trying to be nice here but
apparently I did not perform due diligence enough to see that the
Emerging Threats (http://www.emergingthreats.net) community has this
already covered.  I won't nit-pick the poor quality of the rules
suggested by disclosure at ...3619... but let's just say it reminds
me of VRT new-hires (just kidding VRT .. mostly :)

But seriously, I applaud the Emerging Threats community for once again
being ahead of the threat and beating out competition like Sourcefire
VRT, ISS X-Force, TippingPoint "Digital Doctors", McAfee "I really
need a job so I'll take this one" group, Symantec "meh, just pay us"
team, Checkpoint "you can't be sure but we don't block on the
Sabbath", and others.

-Bad Horse
 The Thoroughbred of SYN

On 11/3/11, Martin Holste <mcholste at ...2420...> wrote:
>> Context Information Security has released a blog post on the Dark Comet
>> RAT.  The article covers the reverse engineering and analysis of its
>> functionality, how to decrypt its traffic and snort signatures to detect
>> its traffic on the wire.
> Intel is always welcome on mailing lists, but advertising is not.
> Your post here is walking a very fine line between the two.
>> Signatures:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature:
>> DarkComet-RAT Incoming Keepalive"; flow:from_server,established;
>> pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2;
>> reference:url,www.contextis.com/research/blog/darkcometrat/;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature:
>> DarkComet-RAT Outgoing Keepalive"; flow:to_server,established;
>> pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1;
>> reference:url,www.contextis.com/research/blog/darkcometrat/;)
> These signatures are poor and have had better versions available for
> free to the Snort community since June 21st via a separate
> organization on a separate mailing list under sid 2013090.  I have no
> problem with beginners posting sigs that need improvement, but if you
> advertise for your company, you lose "beginner" status.
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-sigs mailing list