[Snort-sigs] Travnet and PCRat sigs

James Lay jlay at ...3266...
Tue May 14 16:29:07 EDT 2013


Travnet botnet:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Travnet Botnet data upload"; flow:to_server,established; content:"GET"; 
http_method; content:"hostid="; content:"|26|hostname="; within:16; 
content:"|26|hostip="; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://blogs.mcafee.com/mcafee-labs/travnet-botnet-controls-victims-with-remote-admin-tool; 
classtype:trojan-activity; sid:10000057; rev:1)

PCRat:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR 
PCRat data upload"; flow:to_server,established; content:"PCRatd"; 
depth:6; metadata:policy balanced-ips drop, policy security-ips drop 
reference:url,http://blogs.mcafee.com/mcafee-labs/travnet-botnet-controls-victims-with-remote-admin-tool; 
classtype:misc-activity; sid:10000058; rev:1)

Not real cozy with an any/any rule but eh...didn't seem like a 
different way around this (maybe 1024:65535)?  As usual, comments and 
anything that optimizes or makes these rules useful/better are always 
appreciated.  Danke!

James




More information about the Snort-sigs mailing list