Home page logo
/

snort logo Snort mailing list archives

Re: Nettraveler sig
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 4 Jun 2013 17:22:08 -0600

LoL...that's awesome...thanks Joel :)

Sent from my iPhone

On Jun 4, 2013, at 17:18, Joel Esler <jesler () sourcefire com> wrote:

James,

You are going to love this one..

I got the samples and ran them through our sandbox, captured the pcaps, ran them against Snort, etc.

We already catch this, so I'm thinking, no problem, I'll move the rule into the community ruleset.  I go to edit the 
rule, and it's already in the community ruleset.

ORLY?  I said to myself, who wrote it?

Looked in the AUTHORS file (in the community tarball) and guess who wrote it?

You.

Congrats.


26656


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Jun 4, 2013, at 6:39 PM, James Lay <jlay () slave-tothe-box net> wrote:

On 2013-06-04 15:52, James Lay wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-CNC
Nettraveler C2 Control Loop"; flow:to_server,established;
content:"nettraveler.asp|3f|action="; http_uri; ; metadata:policy
balanced-ips drop, policy security-ips drop, service http;

reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf;

classtype:trojan-activity; sid:10000073; rev:1;)

Nice writeup in that PDF.

James


------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

And fixed (extraneous ; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Nettraveler C2 Control Loop"; flow:to_server,established; 
content:"nettraveler.asp|3f|action="; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; 
classtype:trojan-activity; sid:10000073; rev:2;)

James

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault