[Snort-sigs] Linux Fokirtor Backdoor

Y M snort at ...3751...
Tue Nov 19 15:43:51 EST 2013

I would imagine that the pcre may be not required or even not right. Not much data to work with. Any second look at this can help.
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"MALWARE-BACKDOOR Linux.Trojan.Fokirtor inbound command attempt"; flow:to_server,established; content:"|3A 21 3B 2E|"; fast_pattern:only; pcre:"/\x3a\x21\x3b\x2e[A-Z0-9]{10,}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssh; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:100112;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131119/9eee2d97/attachment.html>

More information about the Snort-sigs mailing list