Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17

[Alex Kirk <akirk () sourcefire com>]

There are some better pieces of detection we can use to find this thing,
actually. I'll get the rule updated by the next SEU.

On Wed, Mar 17, 2010 at 3:38 PM, Mike Cox <mike.cox52 () gmail com> wrote:

> I find it ironic that the Oinkmaster update email trips rule 10089:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE-PUT
> Keylogger beyond Keylogger runtime detection - log sent by ftp";
> flow:to_server,established; content:"Open"; nocase; content:"Beyond";
> distance:0; nocase; content:"Keylogger"; distance:0; nocase;
> metadata:policy security-ips drop;
> reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097340;
> classtype:successful-recon-limited; sid:10089; rev:4;)
>
> Maybe you could add some flowbits so this only alerts if a true FTP
> session has been identified. Just looking for "Open" followed by
> "Beyond" followed by "Keylogger" seems like it will have a lot of
> false positives.  In fact, this email should create some.
>
> -Mike Cox
>
> On 3/17/10, Research <research () sourcefire com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Sourcefire VRT Certified Snort Rules Update
> >
> > Synopsis:
> > This release adds and modifies rules in several categories.
> >
> > Details:
> > As a result of ongoing research, the Sourcefire VRT has added multiple
> > rules to the specific-threats and spyware-put rule sets to provide
> > coverage for emerging threats from these technologies.
> >
> > For a complete list of new and modified rules please see:
> >
> > http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-03-17.html
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQFLoQJ1QcQOxItLLaMRAtjoAJ9Bkns5WYh0dQxVBzFwJyAHJBoDcgCgqZ/Z
> > grKyKm13kKpDCqe5P+kb3LQ=
> > =wkkY
> > -----END PGP SIGNATURE-----
> ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs