[Snort-sigs] Snort Ebury SSH Rootkit

Lukas Matt lukas.matt at ...525...
Mon Feb 17 05:35:52 EST 2014


Thanks YM!

But if I see that correctly there was no answer whether it will be 
included or not right (and when)?

Cheers,
Lukas

On 02/17/2014 11:30 AM, Y M wrote:
> Hi Lukas,
>
> This has been posted to the list 2 days ago :).
>
> http://seclists.org/snort/2014/q1/364
>
> YM
>
> ------------------------------------------------------------------------
> Date: Mon, 17 Feb 2014 11:26:03 +0100
> From: lukas.matt at ...525...
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Snort Ebury SSH Rootkit
>
> Hi guys,
>
> the German intelligence agency wrote some Snort rule for detecting the 
> Ebury Rootkit.
> Are you aware of that rule and when will it be included into the 
> pattern-set.
>
>     https://www.cert-bund.de/ebury-faq
>
>     alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH
>     Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|";
>     depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
>     (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\
>     reference:url,https://www.cert-bund.de/ebury-faq;\
>     <https://www.cert-bund.de/ebury-faq%3b%5c>
>     classtype:trojan-activity; sid:10001; rev:1;)
>
>
> Cheers,
> Lukas
>
>
> -- 
> Lukas Matt
> Deep Packet Inspection Researcher, RnD
>
> tel: +49-721-25516-322, cell: +49-174-3440-555
>
> Sophos Technology GmbH
> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
>
> SOPHOS Security made simple
>
> ---
> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
>
> ------------------------------------------------------------------------------ 
> Android apps run on BlackBerry 10 Introducing the new BlackBerry 
> 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, 
> Bluetooth, Mapview and more. Get your Android app in front of a whole 
> new audience. Start now. 
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________ Snort-sigs mailing 
> list Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs 
> http://www.snort.org Please visit http://blog.snort.org for the latest 
> news about Snort!


-- 
Lukas Matt
Deep Packet Inspection Researcher, RnD

tel: +49-721-25516-322, cell: +49-174-3440-555

Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany

SOPHOS Security made simple

---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140217/d7a02992/attachment.html>


More information about the Snort-sigs mailing list