[Snort-sigs] Nettraveler sig

James Lay jlay at ...3266...
Tue Jun 4 19:22:08 EDT 2013


LoL...that's awesome...thanks Joel :)

Sent from my iPhone

On Jun 4, 2013, at 17:18, Joel Esler <jesler at ...435...> wrote:

> James,
> 
> You are going to love this one..
> 
> I got the samples and ran them through our sandbox, captured the pcaps, ran them against Snort, etc.
> 
> We already catch this, so I'm thinking, no problem, I'll move the rule into the community ruleset.  I go to edit the rule, and it's already in the community ruleset.
> 
> ORLY?  I said to myself, who wrote it?
> 
> Looked in the AUTHORS file (in the community tarball) and guess who wrote it?
> 
> You.
> 
> Congrats.
> 
> 
> 26656
> 
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> 
> On Jun 4, 2013, at 6:39 PM, James Lay <jlay at ...3266...> wrote:
> 
>> On 2013-06-04 15:52, James Lay wrote:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>>> (msg:"MALWARE-CNC
>>> Nettraveler C2 Control Loop"; flow:to_server,established;
>>> content:"nettraveler.asp|3f|action="; http_uri; ; metadata:policy
>>> balanced-ips drop, policy security-ips drop, service http;
>>> 
>>> reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf;
>>> 
>>> classtype:trojan-activity; sid:10000073; rev:1;)
>>> 
>>> Nice writeup in that PDF.
>>> 
>>> James
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> How ServiceNow helps IT people transform IT departments:
>>> 1. A cloud service to automate IT design, transition and operations
>>> 2. Dashboards that offer high-level views of enterprise services
>>> 3. A single system of record for all IT processes
>>> http://p.sf.net/sfu/servicenow-d2d-j
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>> 
>>> 
>>> Please visit http://blog.snort.org for the latest news about Snort!
>> 
>> And fixed (extraneous ; )
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
>> Nettraveler C2 Control Loop"; flow:to_server,established; 
>> content:"nettraveler.asp|3f|action="; http_uri; metadata:policy 
>> balanced-ips drop, policy security-ips drop, service http; 
>> reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; 
>> classtype:trojan-activity; sid:10000073; rev:2;)
>> 
>> James
>> 
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130604/0d02cdae/attachment.html>


More information about the Snort-sigs mailing list