Snort mailing list archives
Re: Rovnix Rule
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Aug 2013 14:13:49 -0400
Thanks, I'm taking a look. On Mon, Aug 5, 2013 at 1:43 PM, Y M <snort () outlook com> wrote:
Probably being cooked already, and maybe enhanced further more as the Rovnix behavior is far more complex: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; content:"GET"; content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3a 20|FWVersionTestAgent|0d 0a|"; fast_pattern:only; metadata:impact-flag red,policy balanced-ips drop,policy security-ips drop,rulest community,service http; reference:url, blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url, blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:112233; rev:1;) There is another potential rule in the pcap referenced (first reference) in the form of a "BLACKLIST DNS request" but I think the one above is more relevant. Any ideas to make it better is always welcome. Thanks. YM ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rovnix Rule Y M (Aug 05)
- Re: Rovnix Rule Joel Esler (Aug 05)