Snort mailing list archives

Re: Help Writing a snort signature

From: Y M <snort () outlook com>
Date: Wed, 17 Aug 2016 04:06:20 +0000

Do you have a specific file hash or pcap? This would greatly help.


Judging from google searches, one sample might be of interest (a2dc261893d9ccb4be571b0ef6b52a40) and is probably for 
the downloader and not the backdoor itself. In this case you can use the URIs to write signatures against. Though URIs 
alone may not provide accurate detection or you may end writing a signature for each URI variant/pattern. It would be 
nice to have additional information to use.


YM

________________________________
From: Lawrence Belyeu <lbelyeu71 () gmail com>
Sent: Wednesday, August 17, 2016 6:28:00 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Help Writing a snort signature

Folks, i'm having a hard time writing a signature I need for my job. Its in relation to Symantec Security Response 
signature for Trojan.Zekapab and Backdoor.Zekapab?
Can someone please point me where I can get help in writing this. I have the sheet to help decipher what to input for 
signatures.

Please help thanks
Lawrence

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Help Writing a snort signature Lawrence Belyeu (Aug 16)
- Re: Help Writing a snort signature Y M (Aug 16)
  - Re: Help Writing a snort signature Lawrence Belyeu (Aug 16)