Home page logo

snort logo Snort mailing list archives

Re: [Snort-users] Vbs rat threat rules
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 28 Jan 2014 12:46:41 -0500

On 1/28/2014 12:07 PM, Feroz Basir wrote:

Thanks for replying. My packet go through a proxy and snort is between 2
proxies. I've just learned that this proxy might change or encapsulate the
packet. I'm trying to monitor vbs rat threat that making connection from the
inside to outside world via various port numbers and hostname. I have the rule
but it didn't work. So I thought vrt could have a special rule for this.

as noted, there are numerous RAT oriented rules... /which/ specific RAT are you 
looking for? what do you mean with the term "vbs"?? to many people, that means 
"Visual BaSic"...

Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat"
content:"Host|3A|"; nocase; http_header; content:"some.website.net
<http://some.website.net>"; nocase; http_header; fast_pattern:only; priority:1;
Sid:1000002; rev:1;)

since your snort is sitting between two proxies and there is the possibility 
that the traffic may be encapsulated, have you tried capturing the traffic 
directly as it passes? you can use tcpdump to capture to a pcap and then review 
the traffic to see what format it is taking...

are both proxies in your $home_net or is the external proxy outside your defined 
$home_net? if it is within your $home_net, your rule will not detect it in some 
cases... these cases will depend on what you have defined for each...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]