Snort mailing list archives
Re: Virut Botnet rule?
From: Matt Jonkman <jonkman () jonkmans com>
Date: Fri, 09 Jan 2009 14:31:49 -0500
Jefferson, Shawn wrote:
This particular one is IRC based, and connects to C&C servers out on the net at port 11830. All communication I've seen is to port 11830, however, it does download other code that communicates with other servers at different ports. These seem to be modules to do various things. One spreads the botnet via the ms08-067, making random connections to the internal network as well as externally on port 445. Another module sends spam email...
Ya, those should catch it. Look at the other irc sigs too, some are more specific for bot commands in IRC if it's normally allowed on your net.
I'll look in the ET ruleset for those sigs. I was only running the malware and virus sigs from ET to keep performance from suffering on my IDS sensor.
Ya, have to pick what your sensors/traffic will allow. I'd recommend taking a look at all of the policy and scan sets as well if malware is a large concern. But as always choose what's relevant. Matt
Shawn -----Original Message----- From: Matt Jonkman [mailto:jonkman () jonkmans com] Sent: January 08, 2009 10:35 PM To: Jefferson, Shawn Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Virut Botnet rule? Well, unfortunately Virut is a really vague name. We have about 10k samples in the sandnet that are called some form of Virut. A good chunk of those are called allaple by other AV's, which is a veru different beast. Some we have are IRC CnC's, some are http, some are binary channels. Do you have one that's doing a particular thing? Most of the samples we have there is some rule to detect. The IRC ones are well covered, and I think probably half or so of what's called Virut are irc based. If you run the IRC on non standard ports sigs at ET you should catch them all. 2000345 2000347 2000348 etc. Matt Jefferson, Shawn wrote:Hi, Does anyone know if there is a rule that would detect the Virut botnet communications, either in the snort rules or ET rules? Unfortunately, I had some machines pick this up, spread via the MS08-067 vulnerability. I did write a rule to detect communication outbound to what I think is C&C servers (any communication from $HOME_NET to $EXTERNAL_NET:11830). Just wondering if there may have already been some rules I could have used. Also, I wanted to thank the list for their help! Snort & BASE happened to be our only method of finding these infections with our current toolset... Thanks, Shawn ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Virut Botnet rule? Jefferson, Shawn (Jan 08)
- Re: Virut Botnet rule? Matt Jonkman (Jan 08)
- Re: Virut Botnet rule? Jefferson, Shawn (Jan 09)
- Re: Virut Botnet rule? Matt Jonkman (Jan 09)
- Re: Virut Botnet rule? Jefferson, Shawn (Jan 09)
- Re: Virut Botnet rule? Matt Jonkman (Jan 08)