Home page logo
/

snort logo Snort mailing list archives

Question on 26287
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 02 Apr 2013 14:16:55 -0600

Hey all.

Here's the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Ortega Rootkit outbound connection - search.namequery.com"; 
flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
classtype:trojan-activity; sid:26287; rev:1;)

Any additional info on this?  You didn't hear this from me, but this 
fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 
:)

James

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault