[Snort-sigs] [Emerging-Sigs] Signatures for ELF packages?
james.lay at ...3513...
Tue Dec 18 11:30:08 EST 2012
VRT has a few that match, also ET rule 2000418 looks like it would work,
although it's commented out in my setup. Hope that helps.
From: emerging-sigs-bounces at ...3694...
[mailto:emerging-sigs-bounces at ...3694...] On Behalf Of
Sent: Tuesday, December 18, 2012 7:41 AM
To: emerging-sigs at ...3335...; snort-sigs at lists.sourceforge.net
Subject: [Emerging-Sigs] Signatures for ELF packages?
Recently we released a corporate Linux desktop image for our developers
and since then I have (obviously) seen a lot of ELF packages come down
with people doing updates/installs etc. I also see some ELF binaries on
one of our mail servers (mail12.internal -- we assign mail servers based
on employee birth month for load balancing).
Are there some known good sigs for detecting ELF packages being received
or anything similar coming down the stack?
I understand the ELF activity due to updates and things but it seemed
weird to see it on mail12:25. The other weird thing is I also see TCP
packets with the FIN, Push, and Urgent flags set that are going to/from
the Linux boxes. This probably isn't related so I mention it here
mostly for my personal reference.
I'm new to inspecting an environment where Linux is allowed on the
corporate network so I appreciate any help. The ELF packages were
suspicious but I suspect that most are nice and not bad. However, on
mail12:25, when I see the ELF packages and related activity, afterwards
there are a lot of sockets hung and I have to carefully restart the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs