[Snort-sigs] [Snort-users] Vbs rat threat rules
wkitty42 at ...3507...
Tue Jan 28 12:46:41 EST 2014
On 1/28/2014 12:07 PM, Feroz Basir wrote:
> Thanks for replying. My packet go through a proxy and snort is between 2
> proxies. I've just learned that this proxy might change or encapsulate the
> packet. I'm trying to monitor vbs rat threat that making connection from the
> inside to outside world via various port numbers and hostname. I have the rule
> but it didn't work. So I thought vrt could have a special rule for this.
as noted, there are numerous RAT oriented rules... /which/ specific RAT are you
looking for? what do you mean with the term "vbs"?? to many people, that means
> Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat"
> content:"Host|3A|"; nocase; http_header; content:"some.website.net
> <http://some.website.net>"; nocase; http_header; fast_pattern:only; priority:1;
> Sid:1000002; rev:1;)
since your snort is sitting between two proxies and there is the possibility
that the traffic may be encapsulated, have you tried capturing the traffic
directly as it passes? you can use tcpdump to capture to a pcap and then review
the traffic to see what format it is taking...
are both proxies in your $home_net or is the external proxy outside your defined
$home_net? if it is within your $home_net, your rule will not detect it in some
cases... these cases will depend on what you have defined for each...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-sigs