Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

From: Martin Holste <mcholste () gmail com>
Date: Thu, 3 Nov 2011 11:04:13 -0500
Context Information Security has released a blog post on the Dark Comet RAT.  The article covers the reverse 
engineering and analysis of its functionality, how to decrypt its traffic and snort signatures to detect its traffic 
on the wire.



Intel is always welcome on mailing lists, but advertising is not.
Your post here is walking a very fine line between the two.



Signatures:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature: DarkComet-RAT Incoming Keepalive"; 
flow:from_server,established; pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2; 
reference:url,www.contextis.com/research/blog/darkcometrat/;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature: DarkComet-RAT Outgoing Keepalive"; 
flow:to_server,established; pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1; 
reference:url,www.contextis.com/research/blog/darkcometrat/;)



These signatures are poor and have had better versions available for
free to the Snort community since June 21st via a separate
organization on a separate mailing list under sid 2013090.  I have no
problem with beginners posting sigs that need improvement, but if you
advertise for your company, you lose "beginner" status.

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: