[Snort-sigs] Snort Ebury SSH Rootkit

rmkml rmkml at ...174...
Sat Feb 22 15:02:59 EST 2014


Thx you YM for sharing,

On msg, maybe add "i" on activty.

add flow:to_server,established;

add depth:7 after first content

add content:!"|0A|"; within:20; distance:0; after isdataat

I don't known is a backdoor are inboud (on your example to $HOME_NET) or outbound ? (to $EXTERNAL_NET)

Regards
@Rmkml



On Sat, 22 Feb 2014, Y M wrote:

> Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom:
>  
> http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
>  
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014
> /02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)
> 
>  
> > Date: Mon, 17 Feb 2014 13:33:31 +0100
> > From: rmkml at ...174...
> > To: snort at ...3751...; lukas.matt at ...525...
> > CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> >
> > Thx you for sharing,
> >
> > I'm curious if this rootkit use always same dns transaction ID please ?
> >
> > This sig fixed 0x120b (4619 dec)
> >
> > Two comments:
> > - extra [] on [\x00]{6}
> > - extra | on [\x01|\x02|\x03]
> >
> > Regards
> > @Rmkml
> >
> >
> > On Mon, 17 Feb 2014, Y M wrote:
> >
> > > I can't help with that :).
> > >  
> > > YM
> > >  
> > >
> > >___________________________________________________________________________________________________________________________________________________________________________________________________________________________
> _
> > > Date: Mon, 17 Feb 2014 11:35:52 +0100
> > > From: lukas.matt at ...525...
> > > To: snort at ...3751...
> > > CC: snort-sigs at lists.sourceforge.net
> > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > >
> > > Thanks YM!
> > >
> > > But if I see that correctly there was no answer whether it will be included or not right (and when)?
> > >
> > > Cheers,
> > > Lukas
> > >
> > > On 02/17/2014 11:30 AM, Y M wrote:
> > > Hi Lukas,
> > >  
> > > This has been posted to the list 2 days ago :).
> > >  
> > > http://seclists.org/snort/2014/q1/364
> > >  
> > > YM
> > >  
> > >
> > >___________________________________________________________________________________________________________________________________________________________________________________________________________________________
> _
> > > Date: Mon, 17 Feb 2014 11:26:03 +0100
> > > From: lukas.matt at ...525...
> > > To: snort-sigs at lists.sourceforge.net
> > > Subject: [Snort-sigs] Snort Ebury SSH Rootkit
> > >
> > > Hi guys,
> > >
> > > the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
> > > Are you aware of that rule and when will it be included into the pattern-set.
> > >
> > > https://www.cert-bund.de/ebury-faq
> > >
> > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
> > > (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;)
> > >
> > >
> > > Cheers,
> > > Lukas
> > >
> > >
> > > --
> > > Lukas Matt
> > > Deep Packet Inspection Researcher, RnD
> > >
> > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > >
> > > Sophos Technology GmbH
> > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > >
> > > SOPHOS Security made simple
> > >
> > > ---
> > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > >
> > >
> > >
> > >
> > > --
> > > Lukas Matt
> > > Deep Packet Inspection Researcher, RnD
> > >
> > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > >
> > > Sophos Technology GmbH
> > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > >
> > > SOPHOS Security made simple
> > >
> > > ---
> > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > >
> > >
> 
>


More information about the Snort-sigs mailing list