Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication

[babu dheen <babudheen () yahoo co in>]

Dear Waldo,
Thanks for the update. I would surely run the pcap on the destination server and get to know what exactly is the http 
request? 
But would like to know what is the impact of this alert or if you can give me security advisory of this event, will be 
helpful to resolve the issue once identified. 
Regards
Babudheen

 

________________________________
 From: waldo kitty <wkitty42 () windstream net>
To: snort-users () lists sourceforge net 
Sent: Wednesday, 21 November 2012 8:28 PM
Subject: Re: [Snort-users] Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication
  
On 11/21/2012 07:59, babu dheen wrote:
> Dear Support,
> We have enabled Snort IPS between two unix machine and once enabled, we are
> seeing below events continously. We would like to know what does mean by below
> event and how can we solve the same.
> Name : "BOTNET-CNC Trojan.Bankpatch.C authentication String detected"
> Source IP : Solaris Server IP
> Destination IP : Solaris Server IP
> Destination Port : 80

as far as i can tell, that would be rule 1:21416 right? please always try to 
include the GID:SID in posts like this...

looking specifically for 1:21416 i see that VRT have it listed as disabled since 
at least 2012 Feb 21... that means that it should be available in the registered 
access rules set (latest is 2012 Oct 18) but i do not find it in the BOTNET-CNC 
rules as your message shows... instead, i find it in malware-cnc...

since this is a GID 1 rule, it is easy to look at the rule to see what it is 
looking for... in this particular case, it is a http POST to /index.php with the 
string "MDAw" repeated 6 times with one more "MDA" on the end... you really 
should look at the pcaps for those alerts... you might want to use tcpdump to 
capture all the traffic so yo can see what's really going on...


to find rules hint: grep -i -E "sid:\W*21416;" /path/to/your/rules/*.rules

21416 is the rule's SID you are looking for... i have the above as a bash shell 
script named lookuprule that you and others might find usable ;)


#! /bin/bash
# lookuprule bash script to find snort rules by sid
grep -i -E "sid:\W*$1;" /path/to/your/rules/*.rules


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!