[Snort-sigs] ZeroAccess Supernode
adimino at ...3810...
Fri May 30 11:59:31 EDT 2014
$dayjob has been receiving reports that a few of our hosts are acting as
Since we have a bunch of ZeroAccess rules enabled, I was wondering why I
didn't see them fire.
It seems that rule sid:23493; rev:5 will fire on outbound traffic
particular to this ZeroAccess incident, however it won't fire on the
alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471]
(msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication";
flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4;
metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop; reference:url,
classtype:trojan-activity; sid:23493; rev:5; )
So I tweaked the rule as follows to allow for the alerting on inbound
alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471]
(msg:"ZeroAccess Supernode Inbound Traffic"; flow:to_server; dsize:16;
content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red,
policy balanced-ips drop, policy connectivity-ips drop, policy security-ips
I need to tweak thresholding a bit, but overall it has been working well in
my limited tests.
Any thoughts or comments?
Andre' M. DiMino
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs