Snort mailing list archives
Re: Virut Botnet rule?
From: Matt Jonkman <jonkman () jonkmans com>
Date: Fri, 09 Jan 2009 01:35:24 -0500
Well, unfortunately Virut is a really vague name. We have about 10k samples in the sandnet that are called some form of Virut. A good chunk of those are called allaple by other AV's, which is a veru different beast. Some we have are IRC CnC's, some are http, some are binary channels. Do you have one that's doing a particular thing? Most of the samples we have there is some rule to detect. The IRC ones are well covered, and I think probably half or so of what's called Virut are irc based. If you run the IRC on non standard ports sigs at ET you should catch them all. 2000345 2000347 2000348 etc. Matt Jefferson, Shawn wrote:
Hi, Does anyone know if there is a rule that would detect the Virut botnet communications, either in the snort rules or ET rules? Unfortunately, I had some machines pick this up, spread via the MS08-067 vulnerability. I did write a rule to detect communication outbound to what I think is C&C servers (any communication from $HOME_NET to $EXTERNAL_NET:11830). Just wondering if there may have already been some rules I could have used. Also, I wanted to thank the list for their help! Snort & BASE happened to be our only method of finding these infections with our current toolset… Thanks, Shawn ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Virut Botnet rule? Jefferson, Shawn (Jan 08)
- Re: Virut Botnet rule? Matt Jonkman (Jan 08)
- Re: Virut Botnet rule? Jefferson, Shawn (Jan 09)
- Re: Virut Botnet rule? Matt Jonkman (Jan 09)
- Re: Virut Botnet rule? Jefferson, Shawn (Jan 09)
- Re: Virut Botnet rule? Matt Jonkman (Jan 08)