Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Anyone got an *incoming* Bropia rule?

from [Jason Haar] Network Security [Permanent Link]
Subject: [Snort-sigs] Anyone got an *incoming* Bropia rule?
Date: Fri, 18 Feb 2005 18:56:52 +1300 
Hi there

The Bleeding snort rules I've seen around for catching Bropia appear to be for catching it calling *out* - not for catching it as it is delivered to MS Messenger? I've now got 4 BS rules for detecting Bropia variants, and it's never triggered - even though our internal AV has been catching it on the desktop. Also if we ever got infected, our firewalls blocks outgoing traffic - especially the IRC Bropia prefers - so these TCP rules would never trigger anyway :-(

All our outgoing Web traffic (which includes MS Messenger) is via proxies, so I've even removed explicit port numbers from the rules (i.e. replaced with "any") and it still isn't catching anything.

Has anyone any ideas what else I can try? Bropia has a fair amount of publicity at the moment and I'd like Snort to be showing it up ;-)

Thanks

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Anyone got an *incoming* Bropia rule?, Jason Haar <=
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] OT: cleanup in Bleeding edge rules, Jason Haar
Next by Thread:  [Snort-sigs] FP for WEB-CLIENT winamp .cda file name overflow attempt Sig ID 3088, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]