Snort mailing list archives
Re: Snort Ebury SSH Rootkit
From: Y M <snort () outlook com>
Date: Mon, 17 Feb 2014 11:57:19 +0000
I can't help with that :).
YM
Date: Mon, 17 Feb 2014 11:35:52 +0100
From: lukas.matt () sophos com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
Thanks YM!
But if I see that correctly there was no answer whether it will be
included or not right (and when)?
Cheers,
Lukas
On 02/17/2014 11:30 AM, Y M wrote:
Hi Lukas,
This has been posted to the list 2 days ago :).
http://seclists.org/snort/2014/q1/364
YM
Date: Mon, 17 Feb 2014 11:26:03 +0100
From: lukas.matt () sophos com
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Snort Ebury SSH Rootkit
Hi guys,
the German intelligence agency wrote some Snort rule for
detecting the Ebury Rootkit.
Are you aware of that rule and when will it be included into
the pattern-set.
https://www.cert-bund.de/ebury-faq
alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury
SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00
01|"; depth:6;\
pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\
reference:url,https://www.cert-bund.de/ebury-faq;\
classtype:trojan-activity; sid:10001; rev:1;)
Cheers,
Lukas
--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: +49-721-25516-322, cell: +49-174-3440-555
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk
------------------------------------------------------------------------------
Android
apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android
apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start
now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about
Snort!
--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: +49-721-25516-322, cell: +49-174-3440-555
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, Günter Junk ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 22)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit Joel Esler (jesler) (Feb 23)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)