[Snort-sigs] [Snort-users] Vbs rat threat rules

waldo kitty wkitty42 at ...3507...
Tue Jan 28 12:46:41 EST 2014

On 1/28/2014 12:07 PM, Feroz Basir wrote:
> Hi,
> Thanks for replying. My packet go through a proxy and snort is between 2
> proxies. I've just learned that this proxy might change or encapsulate the
> packet. I'm trying to monitor vbs rat threat that making connection from the
> inside to outside world via various port numbers and hostname. I have the rule
> but it didn't work. So I thought vrt could have a special rule for this.

as noted, there are numerous RAT oriented rules... /which/ specific RAT are you 
looking for? what do you mean with the term "vbs"?? to many people, that means 
"Visual BaSic"...

> Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat"
> content:"Host|3A|"; nocase; http_header; content:"some.website.net
> <http://some.website.net>"; nocase; http_header; fast_pattern:only; priority:1;
> Sid:1000002; rev:1;)

since your snort is sitting between two proxies and there is the possibility 
that the traffic may be encapsulated, have you tried capturing the traffic 
directly as it passes? you can use tcpdump to capture to a pcap and then review 
the traffic to see what format it is taking...

are both proxies in your $home_net or is the external proxy outside your defined 
$home_net? if it is within your $home_net, your rule will not detect it in some 
cases... these cases will depend on what you have defined for each...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-sigs mailing list