[Snort-sigs] Question on 26287

Joel Esler jesler at ...435...
Tue Apr 2 21:33:46 EDT 2013


Btw--  since that rule was a community rule, it's already been shipped in the community set updated.  

--
Joel Esler
Sent from my iPhone 

On Apr 2, 2013, at 7:23 PM, James Lay <jlay at ...3266...> wrote:

> 
> On Apr 2, 2013, at 4:47 PM, Joel Esler <jesler at ...435...> wrote:
> 
>> On Apr 2, 2013, at 4:16 PM, James Lay <jlay at ...3266...> wrote:
>> 
>>> Hey all.
>>> 
>>> Here's the rule:
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
>>> Ortega Rootkit outbound connection - search.namequery.com"; 
>>> flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
>>> fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
>>> offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
>>> security-ips drop, ruleset community, service http; 
>>> reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
>>> classtype:trojan-activity; sid:26287; rev:1;)
>>> 
>>> Any additional info on this?  You didn't hear this from me, but this 
>>> fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 
>>> :)
>> 
>> 
>> Here is that rule now (It hasn't been shipped yet)
>> 
>> # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.absolute.com/en/products/absolute-computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:trojan-activity; sid:26287; rev:3;)
>> 
>> This is computrace's "laptop lo-jack" software.  I've moved it from MALWARE-CNC to APP-DETECT, changed the message and took it out of the balanced policy.
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
> 
> 
> Awesome…thanks Joel.
> 
> James
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire 
> the most talented Cisco Certified professionals. Visit the 
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/70bacca0/attachment.html>


More information about the Snort-sigs mailing list