Snort mailing list archives
Re: [Emerging-Sigs] Signatures for ELF packages?
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 18 Dec 2012 09:30:08 -0700
LC, VRT has a few that match, also ET rule 2000418 looks like it would work, although it's commented out in my setup. Hope that helps. James From: emerging-sigs-bounces () lists emergingthreats net [mailto:emerging-sigs-bounces () lists emergingthreats net] On Behalf Of L0rd Ch0de1m0rt Sent: Tuesday, December 18, 2012 7:41 AM To: emerging-sigs () emergingthreats net; snort-sigs () lists sourceforge net Subject: [Emerging-Sigs] Signatures for ELF packages? Recently we released a corporate Linux desktop image for our developers and since then I have (obviously) seen a lot of ELF packages come down with people doing updates/installs etc. I also see some ELF binaries on one of our mail servers (mail12.internal -- we assign mail servers based on employee birth month for load balancing). Are there some known good sigs for detecting ELF packages being received or anything similar coming down the stack? I understand the ELF activity due to updates and things but it seemed weird to see it on mail12:25. The other weird thing is I also see TCP packets with the FIN, Push, and Urgent flags set that are going to/from the Linux boxes. This probably isn't related so I mention it here mostly for my personal reference. I'm new to inspecting an environment where Linux is allowed on the corporate network so I appreciate any help. The ELF packages were suspicious but I suspect that most are nice and not bad. However, on mail12:25, when I see the ELF packages and related activity, afterwards there are a lot of sockets hung and I have to carefully restart the service. Cheers, -L0rd C.
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] Signatures for ELF packages? Lay, James (Dec 18)