Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] Signatures for ELF packages?

From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 18 Dec 2012 09:30:08 -0700
LC,

 

VRT has a few that match, also ET rule 2000418 looks like it would work,
although it's commented out in my setup.  Hope that helps.

 

James

 

From: emerging-sigs-bounces () lists emergingthreats net
[mailto:emerging-sigs-bounces () lists emergingthreats net] On Behalf Of
L0rd Ch0de1m0rt
Sent: Tuesday, December 18, 2012 7:41 AM
To: emerging-sigs () emergingthreats net; snort-sigs () lists sourceforge net
Subject: [Emerging-Sigs] Signatures for ELF packages?

 

Recently we released a corporate Linux desktop image for our developers
and since then I have (obviously) seen a lot of ELF packages come down
with people doing updates/installs etc. I also see some ELF binaries on
one of our mail servers (mail12.internal -- we assign mail servers based
on employee birth month for load balancing).

Are there some known good sigs for detecting ELF packages being received
or anything similar coming down the stack?

I understand the ELF activity due to updates and things but it seemed
weird to see it on mail12:25.  The other weird thing is I also see TCP
packets with the FIN, Push, and Urgent flags set that are going to/from
the Linux boxes.  This probably isn't related so I mention it here
mostly for my personal reference.

I'm new to inspecting an environment where Linux is allowed on the
corporate network so I appreciate any help.  The ELF packages were
suspicious but I suspect that most are nice and not bad.  However, on
mail12:25, when I see the ELF packages and related activity, afterwards
there are a lot of sockets hung and I have to carefully restart the
service.  

Cheers,

-L0rd C.


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: