Home page logo

snort logo Snort mailing list archives

Re: Question on 26287
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 2 Apr 2013 17:23:40 -0600

On Apr 2, 2013, at 4:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Apr 2, 2013, at 4:16 PM, James Lay <jlay () slave-tothe-box net> wrote:

Hey all.

Here's the rule:

Ortega Rootkit outbound connection - search.namequery.com"; 
flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
classtype:trojan-activity; sid:26287; rev:1;)

Any additional info on this?  You didn't hear this from me, but this 
fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 

Here is that rule now (It hasn't been shipped yet)

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound 
connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; 
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, 
service http; reference:url,www.absolute.com/en/products/absolute-computrace; 
classtype:trojan-activity; sid:26287; rev:3;)

This is computrace's "laptop lo-jack" software.  I've moved it from MALWARE-CNC to APP-DETECT, changed the message 
and took it out of the balanced policy.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

Awesome…thanks Joel.

Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]