[Snort-sigs] Snort Ebury SSH Rootkit

Y M snort at ...3751...
Mon Feb 17 05:30:12 EST 2014


Hi Lukas,
 
This has been posted to the list 2 days ago :). 
 
http://seclists.org/snort/2014/q1/364
 
YM
 
Date: Mon, 17 Feb 2014 11:26:03 +0100
From: lukas.matt at ...525...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Snort Ebury SSH Rootkit


  

    
  
  
    Hi guys,

    

    the German intelligence agency wrote some Snort rule for detecting
    the Ebury Rootkit.

    Are you aware of that rule and when will it be included into the
    pattern-set.

    

    https://www.cert-bund.de/ebury-faq

      

      alert udp $HOME_NET any -> $EXTERNAL_NET 53 \
      (msg:"Ebury SSH Rootkit data exfiltration";\
      content:"|12 0b 01 00 00 01|"; depth:6;\
      pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
      (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\
      reference:url,https://www.cert-bund.de/ebury-faq;\
      classtype:trojan-activity; sid:10001; rev:1;)

    
    

    Cheers,

    Lukas

    

    

    -- 
Lukas Matt
Deep Packet Inspection Researcher, RnD

tel: +49-721-25516-322, cell: +49-174-3440-555

Sophos Technology GmbH 
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany

SOPHOS Security made simple

---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
  


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140217/0be44a8e/attachment.html>


More information about the Snort-sigs mailing list