Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Fokirtor Backdoor

From: Y M <snort () outlook com>
Date: Tue, 19 Nov 2013 20:43:51 +0000
I would imagine that the pcre may be not required or even not right. Not much data to work with. Any second look at 
this can help.
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"MALWARE-BACKDOOR Linux.Trojan.Fokirtor inbound command 
attempt"; flow:to_server,established; content:"|3A 21 3B 2E|"; fast_pattern:only; 
pcre:"/\x3a\x21\x3b\x2e[A-Z0-9]{10,}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, 
ruleset community, service ssh; 
reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; 
classtype:trojan-activity; sid:100112;)
Thanks.YM                                         
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: