Snort mailing list archives
Re: Best detection of Worm
From: Nick Hatch <nick () restek wwu edu>
Date: Thu, 16 Dec 2004 20:50:26 -0800
We've been using the Bleedingsnort Rxbot specific rules with great success.I wouldn't trust using DNS specific rules -- the variants of Rxbot I've seen use a variety of DNS servers. There are some Bleedingsnort rules to watch for the "infected" reports to the botnet DNS server.
Because Rbot also attempts to infect other machines, watching for the infection attempts with generalized threshold rules is a strategy we use to track down infected machine. See the recent thread "TCP sweeps" for a discussion of some of these rules.
Hope that helps, we've been using Snort to track down Rbot for quite a while.
-Nick Bristol, Gary L. wrote:
We seem to be seeing an infection of the WORM_RBOT.TO worm, by examination of the DNS logs, we'rd finding DNS lookups for the Site (gz.freetypers.us) that the worm then establishes an IRC connection too. What would be the best way to detect on this , an initial on the DNS lookup and then a positive on the IRC Connection?http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.TO&VSect=T <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.TO&VSect=T>
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best detection of Worm Bristol, Gary L. (Dec 16)
- Re: Best detection of Worm Nick Hatch (Dec 16)
- HTTP_INSPECT Lucia Di Occhi (Dec 17)
- Re: HTTP_INSPECT Jeremy Hewlett (Dec 17)
- Message not available
- Re: HTTP_INSPECT Jeremy Hewlett (Dec 17)
- HTTP_INSPECT Lucia Di Occhi (Dec 17)
- Re: Best detection of Worm Nick Hatch (Dec 16)