Snort mailing list archives
Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 21 Nov 2012 12:28:08 -0500
On 11/21/2012 07:59, babu dheen wrote:
Dear Support, We have enabled Snort IPS between two unix machine and once enabled, we are seeing below events continously. We would like to know what does mean by below event and how can we solve the same. Name : "BOTNET-CNC Trojan.Bankpatch.C authentication String detected" Source IP : Solaris Server IP Destination IP : Solaris Server IP Destination Port : 80
as far as i can tell, that would be rule 1:21416 right? please always try to include the GID:SID in posts like this... looking specifically for 1:21416 i see that VRT have it listed as disabled since at least 2012 Feb 21... that means that it should be available in the registered access rules set (latest is 2012 Oct 18) but i do not find it in the BOTNET-CNC rules as your message shows... instead, i find it in malware-cnc... since this is a GID 1 rule, it is easy to look at the rule to see what it is looking for... in this particular case, it is a http POST to /index.php with the string "MDAw" repeated 6 times with one more "MDA" on the end... you really should look at the pcaps for those alerts... you might want to use tcpdump to capture all the traffic so yo can see what's really going on... to find rules hint: grep -i -E "sid:\W*21416;" /path/to/your/rules/*.rules 21416 is the rule's SID you are looking for... i have the above as a bash shell script named lookuprule that you and others might find usable ;) #! /bin/bash # lookuprule bash script to find snort rules by sid grep -i -E "sid:\W*$1;" /path/to/your/rules/*.rules ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication babu dheen (Nov 21)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication waldo kitty (Nov 21)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication babu dheen (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication Alec Waters (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication waldo kitty (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication babu dheen (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication waldo kitty (Nov 21)