[Snort-sigs] Snort Ebury SSH Rootkit

Lukas Matt lukas.matt at ...525...
Mon Feb 17 05:26:03 EST 2014


Hi guys,

the German intelligence agency wrote some Snort rule for detecting the 
Ebury Rootkit.
Are you aware of that rule and when will it be included into the 
pattern-set.

    https://www.cert-bund.de/ebury-faq

    alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH
    Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|";
    depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
    (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\
    reference:url,https://www.cert-bund.de/ebury-faq;\
    classtype:trojan-activity; sid:10001; rev:1;)


Cheers,
Lukas


-- 
Lukas Matt
Deep Packet Inspection Researcher, RnD

tel: +49-721-25516-322, cell: +49-174-3440-555

Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany

SOPHOS Security made simple

---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140217/f6b8ceeb/attachment.html>


More information about the Snort-sigs mailing list