Snort mailing list archives
Re: Vbs rat threat rules
From: Feroz Basir <feroz.basir () gmail com>
Date: Wed, 29 Jan 2014 01:07:30 +0800
Hi, Thanks for replying. My packet go through a proxy and snort is between 2 proxies. I've just learned that this proxy might change or encapsulate the packet. I'm trying to monitor vbs rat threat that making connection from the inside to outside world via various port numbers and hostname. I have the rule but it didn't work. So I thought vrt could have a special rule for this. Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat" content:"Host|3A|"; nocase; http_header; content:"some.website.net"; nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;) Thanks. Regards, Feroz Basir
On 28 Jan 2014, at 10:40, "Joel Esler (jesler)" <jesler () cisco com> wrote: Perhaps the reason is, “vbs rat” isn’t a specific attack, it’s a generic term. We have lots of detection for Remote Access Tools, which one is really the question.On Jan 27, 2014, at 7:49 PM, Feroz Basir <feroz.basir () gmail com> wrote: Hi again, Anybody knows? Please help. Thanks. Regards, Feroz Fazidi Bin BasirOn 25 Jan 2014, at 19:34, Feroz Basir <feroz.basir () gmail com> wrote: Hi all, Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im sniffing proxy packet which I think change the packet. Thanks. Regards, Feroz Basir------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Vbs rat threat rules Feroz Basir (Jan 23)
- <Possible follow-ups>
- Vbs rat threat rules Feroz Basir (Jan 25)
- Re: Vbs rat threat rules Feroz Basir (Jan 27)
- Re: Vbs rat threat rules Joel Esler (jesler) (Jan 27)
- Re: Vbs rat threat rules Feroz Basir (Jan 28)
- Re: [Snort-users] Vbs rat threat rules waldo kitty (Jan 28)
- Re: Vbs rat threat rules Kevin Ross (Jan 28)
- Re: Vbs rat threat rules Feroz Basir (Jan 27)