Re: Snort Ebury SSH Rootkit

[Y M <snort () outlook com>]

Hi Rmkml,
 
Thank you for the good input. This is how the rule came from the reference, I just copied it, certainly there is room 
for improvement. 
 
According the to the reference, this is an inbound packet, where the operators connect to the backdoor on the 
compromised box.
 
YM
 
> Date: Sat, 22 Feb 2014 21:02:59 +0100
> From: rmkml () yahoo fr
> To: snort () outlook com
> CC: lukas.matt () sophos com; snort-sigs () lists sourceforge net; rmkml () yahoo fr
> Subject: RE: [Snort-sigs] Snort Ebury SSH Rootkit
>
> Thx you YM for sharing,
>
> On msg, maybe add "i" on activty.
>
> add flow:to_server,established;
>
> add depth:7 after first content
>
> add content:!"|0A|"; within:20; distance:0; after isdataat
>
> I don't known is a backdoor are inboud (on your example to $HOME_NET) or outbound ? (to $EXTERNAL_NET)
>
> Regards
> @Rmkml
>
>
>
> On Sat, 22 Feb 2014, Y M wrote:
>
> > Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom:
> >  
> > http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
> >  
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; 
> > isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014
> > /02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)
> >
> >  
> > > Date: Mon, 17 Feb 2014 13:33:31 +0100
> > > From: rmkml () yahoo fr
> > > To: snort () outlook com; lukas.matt () sophos com
> > > CC: snort-sigs () lists sourceforge net; rmkml () yahoo fr
> > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > >
> > > Thx you for sharing,
> > >
> > > I'm curious if this rootkit use always same dns transaction ID please ?
> > >
> > > This sig fixed 0x120b (4619 dec)
> > >
> > > Two comments:
> > > - extra [] on [\x00]{6}
> > > - extra | on [\x01|\x02|\x03]
> > >
> > > Regards
> > > @Rmkml
> > >
> > >
> > > On Mon, 17 Feb 2014, Y M wrote:
> > >
> > > > I can't help with that :).
> > > >  
> > > > YM
> > > >  
> > > >
> > > > ___________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > _
> > > > Date: Mon, 17 Feb 2014 11:35:52 +0100
> > > > From: lukas.matt () sophos com
> > > > To: snort () outlook com
> > > > CC: snort-sigs () lists sourceforge net
> > > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > > >
> > > > Thanks YM!
> > > >
> > > > But if I see that correctly there was no answer whether it will be included or not right (and when)?
> > > >
> > > > Cheers,
> > > > Lukas
> > > >
> > > > On 02/17/2014 11:30 AM, Y M wrote:
> > > > Hi Lukas,
> > > >  
> > > > This has been posted to the list 2 days ago :).
> > > >  
> > > > http://seclists.org/snort/2014/q1/364
> > > >  
> > > > YM
> > > >  
> > > >
> > > > ___________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > _
> > > > Date: Mon, 17 Feb 2014 11:26:03 +0100
> > > > From: lukas.matt () sophos com
> > > > To: snort-sigs () lists sourceforge net
> > > > Subject: [Snort-sigs] Snort Ebury SSH Rootkit
> > > >
> > > > Hi guys,
> > > >
> > > > the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
> > > > Are you aware of that rule and when will it be included into the pattern-set.
> > > >
> > > > https://www.cert-bund.de/ebury-faq
> > > >
> > > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 
> > > > 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
> > > > (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ 
> > > > classtype:trojan-activity; sid:10001; rev:1;)
> > > >
> > > >
> > > > Cheers,
> > > > Lukas
> > > >
> > > >
> > > > --
> > > > Lukas Matt
> > > > Deep Packet Inspection Researcher, RnD
> > > >
> > > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > > >
> > > > Sophos Technology GmbH
> > > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > > >
> > > > SOPHOS Security made simple
> > > >
> > > > ---
> > > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Lukas Matt
> > > > Deep Packet Inspection Researcher, RnD
> > > >
> > > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > > >
> > > > Sophos Technology GmbH
> > > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > > >
> > > > SOPHOS Security made simple
> > > >
> > > > ---
> > > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!