[Snort-sigs] Question on 26287

James Lay jlay at ...3266...
Tue Apr 2 16:16:55 EDT 2013


Hey all.

Here's the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Ortega Rootkit outbound connection - search.namequery.com"; 
flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
classtype:trojan-activity; sid:26287; rev:1;)

Any additional info on this?  You didn't hear this from me, but this 
fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 
:)

James




More information about the Snort-sigs mailing list