Home page logo
/

snort logo Snort mailing list archives

Re: Question on 26287
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 2 Apr 2013 21:33:46 -0400

Btw--  since that rule was a community rule, it's already been shipped in the community set updated.  

--
Joel Esler
Sent from my iPhone 

On Apr 2, 2013, at 7:23 PM, James Lay <jlay () slave-tothe-box net> wrote:


On Apr 2, 2013, at 4:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Apr 2, 2013, at 4:16 PM, James Lay <jlay () slave-tothe-box net> wrote:

Hey all.

Here's the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Ortega Rootkit outbound connection - search.namequery.com"; 
flow:to_server,established; content:" search.namequery.com|0D 0A|"; 
fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; 
offset:15; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
classtype:trojan-activity; sid:26287; rev:1;)

Any additional info on this?  You didn't hear this from me, but this 
fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box 
:)


Here is that rule now (It hasn't been shipped yet)

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound 
connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; 
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset 
community, service http; reference:url,www.absolute.com/en/products/absolute-computrace; 
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; 
classtype:trojan-activity; sid:26287; rev:3;)

This is computrace's "laptop lo-jack" software.  I've moved it from MALWARE-CNC to APP-DETECT, changed the message 
and took it out of the balanced policy.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


Awesome…thanks Joel.

James
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault