Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] FP for BLEEDING-EDGE TROJAN IRC Bot DDoS command

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] FP for BLEEDING-EDGE TROJAN IRC Bot DDoS command
Date: Thu, 26 May 2005 09:53:10 +1200 
Hi all,
        I'm seeing lots of FP from SIP traffic against this rule.

Russell


META
--------
SID     CID     TimeStamp               Signature
3       4035855 2005-05-25 15:49:54     BLEEDING-EDGE TROJAN IRC Bot DDoS 
command
Sig ID
2001788

Sensor Hostname                         Sensor Interface
hihi.itss       eth1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
206.190.50.141  130.216.1.33    4       5
TOS     length  ID      flags   offset  TTL     chksum
0       613     64524   2       0       50      50497

Resolved Source
sip3.voice.re2.yahoo.com

Resolved Dest
railcamp-fw.net.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
5061            1072            3239195017      2248617289
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      65535   60259           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
5349502F322E30203430    SIP/2.0 40
3120556E617574686F72    1 Unauthor
697A65640D0A46726F6D    ized..From
3A207368696C70615F73    : shilpa_s
696E67616C323030303C    ingal2000<
7369703A7368696C7061    sip:shilpa
5F73696E67616C323030    _singal200
30403230362E3139302E    0@206.190.
35302E3134313A353036    50.141:506
313E3B7461673D373462    1>;tag=74b
646464302D302D313362    ddd0-0-13b
622D63622D3532616637    b-cb-52af7
6532362D63620D0A546F    e26-cb..To
3A207368696C70615F73    : shilpa_s
696E67616C323030303C    ingal2000<
7369703A7368696C7061    sip:shilpa
5F73696E67616C323030    _singal200
30403230362E3139302E    0@206.190.
35302E3134313A353036    50.141:506
313E3B7461673D386433    1>;tag=8d3
32626563652D35302D34    2bece-50-4
323933663632652D3135    293f62e-15
6637343439382D323236    f74498-226
31373738300D0A43616C    17780..Cal
6C2D49443A2037346432    l-ID: 74d2
3061382D302D31336262    0a8-0-13bb
2D63392D343034313631    -c9-404161
30302D63390D0A435365    00-c9..CSe
713A2031205245474953    q: 1 REGIS
5445520D0A436F6E7461    TER..Conta
63743A203C7369703A73    ct: <sip:s
68696C70615F73696E67    hilpa_sing
616C3230303040323036    al2000@206
2E3139302E35302E3134    .190.50.14
313A353036313B747261    1:5061;tra
6E73706F72743D544350    nsport=TCP
3E0D0A5669613A205349    >..Via: SI
502F322E302F54435020    P/2.0/TCP 
31302E342E312E32333A    10.4.1.23:
353035313B7265636569    5051;recei
7665643D3133302E3231    ved=130.21
362E312E33333B627261    6.1.33;bra
6E63683D7A3968473462    nch=z9hG4b
4B2D63622D3331396235    K-cb-319b5
2D32363532623062370D    -2652b0b7.
0A5757572D4175746865    .WWW-Authe
6E7469636174653A2044    nticate: D
6967657374207265616C    igest real
6D3D227369702E796168    m="sip.yah
6F6F2E636F6D222C206E    oo.com", n
6F6E63653D2230315139    once="01Q9
52646956497372474632    RdiVIsrGF2
456C7359536B4A347773    ElsYSkJ4ws
7172676D222C20616C67    qrgm", alg
6F726974686D3D4D4435    orithm=MD5
0D0A436F6E74656E742D    ..Content-
4C656E6774683A20300D    Length: 0.
0A0D0A  ...

DATA
--------
SIP/2.0 401 Unauthorized..From: shilpa_singal2000<sip:shilpa
_singal2000@206.190.50.141:5061>;tag=74bddd0-0-13bb-cb-52af7
e26-cb..To: shilpa_singal2000<sip:shilpa_singal2000@206.190.
50.141:5061>;tag=8d32bece-50-4293f62e-15f74498-22617780..Cal
l-ID: 74d20a8-0-13bb-c9-40416100-c9..CSeq: 1 REGISTER..Conta
ct: <sip:shilpa_singal2000@206.190.50.141:5061;transport=TCP

..Via: SIP/2.0/TCP 10.4.1.23:5051;received=130.216.1.33;bra

nch=z9hG4bK-cb-319b5-2652b0b7..WWW-Authenticate: Digest real
m="sip.yahoo.com", nonce="01Q9RdiVIsrGF2ElsYSkJ4wsqrgm", alg
orithm=MD5..Content-Length: 0....

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] CoreMarks Code Donated by Sensory Networks!, Matt Jonkman
Next by Date:  Re: [Snort-sigs] FP for BLEEDING-EDGE TROJAN IRC Bot DDoS command, Erik Fichtner
Previous by Thread:  [Snort-sigs] CoreMarks Code Donated by Sensory Networks!, Matt Jonkman
Next by Thread:  Re: [Snort-sigs] FP for BLEEDING-EDGE TROJAN IRC Bot DDoS command, Erik Fichtner
Indexes:  [Date] [Thread] [Top] [All Lists]