[Snort-users] Vbs rat threat rules

Feroz Basir feroz.basir at ...11827...
Tue Jan 28 12:07:30 EST 2014


Hi,

Thanks for replying. My packet go through a proxy and snort is between 2 proxies. I've just learned that this proxy might change or encapsulate the packet. I'm trying to monitor vbs rat threat that making connection from the inside to outside world via various port numbers and hostname. I have the rule but it didn't work. So I thought vrt could have a special rule for this. 

Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat" content:"Host|3A|"; nocase; http_header; content:"some.website.net"; nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;)

Thanks.


Regards,
Feroz Basir

> On 28 Jan 2014, at 10:40, "Joel Esler (jesler)" <jesler at ...589...> wrote:
> 
> Perhaps the reason is, “vbs rat” isn’t a specific attack, it’s a generic term.  We have lots of detection for Remote Access Tools, which one is really the question.
> 
> 
>> On Jan 27, 2014, at 7:49 PM, Feroz Basir <feroz.basir at ...11827...> wrote:
>> 
>> Hi again,
>> 
>> Anybody knows? Please help. Thanks.
>> 
>> 
>> Regards,
>> Feroz Fazidi Bin Basir
>> 
>>> On 25 Jan 2014, at 19:34, Feroz Basir <feroz.basir at ...11827...> wrote:
>>> 
>>> Hi all, 
>>> 
>>> Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im sniffing proxy packet which I think change the packet.
>>> 
>>> Thanks.
>>> 
>>> 
>>> Regards,
>>> Feroz Basir
>> 
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today. 
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140129/1620be86/attachment.html>


More information about the Snort-users mailing list