Snort mailing list archives
Re: Snort Ebury SSH Rootkit
From: rmkml <rmkml () yahoo fr>
Date: Sat, 22 Feb 2014 21:02:59 +0100 (CET)
Thx you YM for sharing, On msg, maybe add "i" on activty. add flow:to_server,established; add depth:7 after first content add content:!"|0A|"; within:20; distance:0; after isdataat I don't known is a backdoor are inboud (on your example to $HOME_NET) or outbound ? (to $EXTERNAL_NET) Regards @Rmkml On Sat, 22 Feb 2014, Y M wrote:
Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom: http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014 /02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;) > Date: Mon, 17 Feb 2014 13:33:31 +0100 > From: rmkml () yahoo fr > To: snort () outlook com; lukas.matt () sophos com > CC: snort-sigs () lists sourceforge net; rmkml () yahoo fr > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit > > Thx you for sharing, > > I'm curious if this rootkit use always same dns transaction ID please ? > > This sig fixed 0x120b (4619 dec) > > Two comments: > - extra [] on [\x00]{6} > - extra | on [\x01|\x02|\x03] > > Regards > @Rmkml > > > On Mon, 17 Feb 2014, Y M wrote: > > > I can't help with that :). > > > > YM > > > > > >___________________________________________________________________________________________________________________________________________________________________________________________________________________________ _ > > Date: Mon, 17 Feb 2014 11:35:52 +0100 > > From: lukas.matt () sophos com > > To: snort () outlook com > > CC: snort-sigs () lists sourceforge net > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit > > > > Thanks YM! > > > > But if I see that correctly there was no answer whether it will be included or not right (and when)? > > > > Cheers, > > Lukas > > > > On 02/17/2014 11:30 AM, Y M wrote: > > Hi Lukas, > > > > This has been posted to the list 2 days ago :). > > > > http://seclists.org/snort/2014/q1/364 > > > > YM > > > > > >___________________________________________________________________________________________________________________________________________________________________________________________________________________________ _ > > Date: Mon, 17 Feb 2014 11:26:03 +0100 > > From: lukas.matt () sophos com > > To: snort-sigs () lists sourceforge net > > Subject: [Snort-sigs] Snort Ebury SSH Rootkit > > > > Hi guys, > > > > the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit. > > Are you aware of that rule and when will it be included into the pattern-set. > > > > https://www.cert-bund.de/ebury-faq > > > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\ > > (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;) > > > > > > Cheers, > > Lukas > > > > > > -- > > Lukas Matt > > Deep Packet Inspection Researcher, RnD > > > > tel: +49-721-25516-322, cell: +49-174-3440-555 > > > > Sophos Technology GmbH > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany > > > > SOPHOS Security made simple > > > > --- > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk > > > > > > > > > > -- > > Lukas Matt > > Deep Packet Inspection Researcher, RnD > > > > tel: +49-721-25516-322, cell: +49-174-3440-555 > > > > Sophos Technology GmbH > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany > > > > SOPHOS Security made simple > > > > --- > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658 > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk > > > >
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit rmkml (Feb 22)
- Re: Snort Ebury SSH Rootkit Y M (Feb 22)
- Re: Snort Ebury SSH Rootkit Joel Esler (jesler) (Feb 23)
- Re: Snort Ebury SSH Rootkit Lukas Matt (Feb 17)
- Re: Snort Ebury SSH Rootkit Y M (Feb 17)