Home page logo
/

snort logo Snort mailing list archives

Re: Vbs rat threat rules
From: Feroz Basir <feroz.basir () gmail com>
Date: Wed, 29 Jan 2014 01:07:30 +0800

Hi,

Thanks for replying. My packet go through a proxy and snort is between 2 proxies. I've just learned that this proxy 
might change or encapsulate the packet. I'm trying to monitor vbs rat threat that making connection from the inside to 
outside world via various port numbers and hostname. I have the rule but it didn't work. So I thought vrt could have a 
special rule for this. 

Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat" content:"Host|3A|"; nocase; http_header; 
content:"some.website.net"; nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;)

Thanks.


Regards,
Feroz Basir

On 28 Jan 2014, at 10:40, "Joel Esler (jesler)" <jesler () cisco com> wrote:

Perhaps the reason is, “vbs rat” isn’t a specific attack, it’s a generic term.  We have lots of detection for Remote 
Access Tools, which one is really the question.


On Jan 27, 2014, at 7:49 PM, Feroz Basir <feroz.basir () gmail com> wrote:

Hi again,

Anybody knows? Please help. Thanks.


Regards,
Feroz Fazidi Bin Basir

On 25 Jan 2014, at 19:34, Feroz Basir <feroz.basir () gmail com> wrote:

Hi all, 

Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im sniffing proxy packet which I think change 
the packet.

Thanks.


Regards,
Feroz Basir

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]