Snort mailing list archives
Night Dragon
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Thu, 10 Feb 2011 23:22:23 -0500
FYI, we also just added 2 new sigs for the Night Dragon thing: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; depth:5; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; sid:2012308; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; sid:2012307; rev:1;) The ones you should soil yourself when you see them hitting on your net. :) Recommend everyone push them, regardless of the ruleset you run! Matt ---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Night Dragon Matthew Jonkman (Feb 10)
- Re: Night Dragon Randal T. Rioux (Feb 10)