Snort mailing list archives
Re: Snort Ebury SSH Rootkit
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 23 Feb 2014 13:12:54 +0000
We received permission to use the other rule from the author. We're putting it through QA now. We can't just take people's rules. -- Joel Esler Sent from my iPhone
On Feb 22, 2014, at 14:48, "Y M" <snort () outlook com> wrote: Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom: http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)Date: Mon, 17 Feb 2014 13:33:31 +0100 From: rmkml () yahoo fr To: snort () outlook com; lukas.matt () sophos com CC: snort-sigs () lists sourceforge net; rmkml () yahoo fr Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit Thx you for sharing, I'm curious if this rootkit use always same dns transaction ID please ? This sig fixed 0x120b (4619 dec) Two comments: - extra [] on [\x00]{6} - extra | on [\x01|\x02|\x03] Regards @Rmkml On Mon, 17 Feb 2014, Y M wrote:I can't help with that :). YM ____________________________________________________________________________________________________________________________________________________________________________________________________________________________ Date: Mon, 17 Feb 2014 11:35:52 +0100 From: lukas.matt () sophos com To: snort () outlook com CC: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit Thanks YM! But if I see that correctly there was no answer whether it will be included or not right (and when)? Cheers, Lukas On 02/17/2014 11:30 AM, Y M wrote: Hi Lukas, This has been posted to the list 2 days ago :). http://seclists.org/snort/2014/q1/364 YM ____________________________________________________________________________________________________________________________________________________________________________________________________________________________ Date: Mon, 17 Feb 2014 11:26:03 +0100 From: lukas.matt () sophos com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] Snort Ebury SSH Rootkit Hi guys, the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit. Are you aware of that rule and when will it be included into the pattern-set. https://www.cert-bund.de/ebury-faq alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\ (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;) Cheers, Lukas -- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555 Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany SOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Lukas Matt Deep Packet Inspection Researcher, RnD tel: +49-721-25516-322, cell: +49-174-3440-555 Sophos Technology GmbH Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany SOPHOS Security made simple --- Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 22)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit Joel Esler (jesler) (Feb 23)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)