[Snort-sigs] backdoored ssh-decorator package

Phillip Lee phillile at sourcefire.com
Thu May 10 11:38:20 EDT 2018

Hi Yaser,
After reviewing the rule, we have decided not to add it to the community ruleset.  Their are two reasons:
1. The pip package in question has been taken down
2. The rule content would likely result in FPs due to generic use of parameters seen in other applications. Your general rule is OK (other than using ‘index.php’ as a fast_pattern - would enter way too often), its just that with those parameters, its not something unique to only the ssh-decorator package.

We sincerely appreciate your contribution.

Phil Lee
Cisco Talos

> On May 10, 2018, at 10:24 AM, wkitty42 at windstream.net wrote:
> On 05/09/2018 04:03 PM, Y M via Snort-sigs wrote:
>> Hi,
>> The below rule is derived from the reference. Simple testing with python is show below as illustrated in the screenshot in the reference.
> was this thing fixed from the original(?) one? i've seen another one that misspells "password" one time... the 'w' and the 'o' are reversed...
> -- 
> NOTE: No off-list assistance is given without prior approval.
>       *Please keep mailing list traffic on the list unless*
>       *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
> Please visit http://blog.snort.org for the latest news about Snort!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

More information about the Snort-sigs mailing list