Snort mailing list archives
Re: Question on 26287
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 2 Apr 2013 17:23:40 -0600
On Apr 2, 2013, at 4:47 PM, Joel Esler <jesler () sourcefire com> wrote:
On Apr 2, 2013, at 4:16 PM, James Lay <jlay () slave-tothe-box net> wrote:Hey all. Here's the rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Ortega Rootkit outbound connection - search.namequery.com"; flow:to_server,established; content:" search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9; offset:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:trojan-activity; sid:26287; rev:1;) Any additional info on this? You didn't hear this from me, but this fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box :)Here is that rule now (It hasn't been shipped yet) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.absolute.com/en/products/absolute-computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:trojan-activity; sid:26287; rev:3;) This is computrace's "laptop lo-jack" software. I've moved it from MALWARE-CNC to APP-DETECT, changed the message and took it out of the balanced policy. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Awesome…thanks Joel. James
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question on 26287 James Lay (Apr 02)
- Re: Question on 26287 Joel Esler (Apr 02)
- Re: Question on 26287 James Lay (Apr 02)
- Re: Question on 26287 Joel Esler (Apr 02)
- Re: Question on 26287 James Lay (Apr 02)
- Re: Question on 26287 Joel Esler (Apr 02)