Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 17 Mar 2010 15:45:08 -0400
There are some better pieces of detection we can use to find this thing, actually. I'll get the rule updated by the next SEU. On Wed, Mar 17, 2010 at 3:38 PM, Mike Cox <mike.cox52 () gmail com> wrote:
I find it ironic that the Oinkmaster update email trips rule 10089: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp"; flow:to_server,established; content:"Open"; nocase; content:"Beyond"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097340; classtype:successful-recon-limited; sid:10089; rev:4;) Maybe you could add some flowbits so this only alerts if a true FTP session has been identified. Just looking for "Open" followed by "Beyond" followed by "Keylogger" seems like it will have a lot of false positives. In fact, this email should create some. -Mike Cox On 3/17/10, Research <research () sourcefire com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: As a result of ongoing research, the Sourcefire VRT has added multiple rules to the specific-threats and spyware-put rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-03-17.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFLoQJ1QcQOxItLLaMRAtjoAJ9Bkns5WYh0dQxVBzFwJyAHJBoDcgCgqZ/Z grKyKm13kKpDCqe5P+kb3LQ= =wkkY -----END PGP SIGNATURE-----------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-03-17 Research (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Alex Kirk (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Seth Art (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 evilghost () packetmail net (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 Sethsec (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 L0rd Ch0de1m0rt (Mar 24)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 17)