[Snort-sigs] Nettraveler sig

Joel Esler jesler at ...435...
Tue Jun 4 19:18:19 EDT 2013


James,

You are going to love this one..

I got the samples and ran them through our sandbox, captured the pcaps, ran them against Snort, etc.

We already catch this, so I'm thinking, no problem, I'll move the rule into the community ruleset.  I go to edit the rule, and it's already in the community ruleset.

ORLY?  I said to myself, who wrote it?

Looked in the AUTHORS file (in the community tarball) and guess who wrote it?

You.

Congrats.


26656


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Jun 4, 2013, at 6:39 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-06-04 15:52, James Lay wrote:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"MALWARE-CNC
>> Nettraveler C2 Control Loop"; flow:to_server,established;
>> content:"nettraveler.asp|3f|action="; http_uri; ; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> 
>> reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf;
>> 
>> classtype:trojan-activity; sid:10000073; rev:1;)
>> 
>> Nice writeup in that PDF.
>> 
>> James
>> 
>> 
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> And fixed (extraneous ; )
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Nettraveler C2 Control Loop"; flow:to_server,established; 
> content:"nettraveler.asp|3f|action="; http_uri; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; 
> classtype:trojan-activity; sid:10000073; rev:2;)
> 
> James
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130604/15cdb229/attachment.html>


More information about the Snort-sigs mailing list