[Snort-sigs] [Emerging-Sigs] Signatures for ELF packages?

Lay, James james.lay at ...3513...
Tue Dec 18 11:30:08 EST 2012



VRT has a few that match, also ET rule 2000418 looks like it would work,
although it's commented out in my setup.  Hope that helps.




From: emerging-sigs-bounces at ...3694...
[mailto:emerging-sigs-bounces at ...3694...] On Behalf Of
L0rd Ch0de1m0rt
Sent: Tuesday, December 18, 2012 7:41 AM
To: emerging-sigs at ...3335...; snort-sigs at lists.sourceforge.net
Subject: [Emerging-Sigs] Signatures for ELF packages?


Recently we released a corporate Linux desktop image for our developers
and since then I have (obviously) seen a lot of ELF packages come down
with people doing updates/installs etc. I also see some ELF binaries on
one of our mail servers (mail12.internal -- we assign mail servers based
on employee birth month for load balancing).

Are there some known good sigs for detecting ELF packages being received
or anything similar coming down the stack?

I understand the ELF activity due to updates and things but it seemed
weird to see it on mail12:25.  The other weird thing is I also see TCP
packets with the FIN, Push, and Urgent flags set that are going to/from
the Linux boxes.  This probably isn't related so I mention it here
mostly for my personal reference.

I'm new to inspecting an environment where Linux is allowed on the
corporate network so I appreciate any help.  The ELF packages were
suspicious but I suspect that most are nice and not bad.  However, on
mail12:25, when I see the ELF packages and related activity, afterwards
there are a lot of sockets hung and I have to carefully restart the


-L0rd C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121218/5cd7d81e/attachment.html>

More information about the Snort-sigs mailing list