Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sa

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules)
Date: Wed, 12 Oct 2005 21:55:43 -0500 
On Wed, 2005-10-12 at 20:09 -0500, Ellen L Mitchell wrote:

I'm missing something... I've been reviewing my rule set and I have a
couple questions that google couldn't solve.

The following Trojan Bot rules (from bleeding-virus) use "flowbits:
set,trojan;" but I haven't been able to find any rule that uses
"flowbits: isset,trojan".  Am I missing rules, or missing information
about how the rules are supposed to work?  I checked bleeding-all just
in case they weren't included in the -virus set.


Nope, you're not missing anything. I think it was set so that any future
rules might check it. Also, if you have custom rules that might fire on
this sort of trojan activity, you could use the flowbit to suppress
alert from them. 

Since it's only a warning on startup of Snort, we just left the flowbit
set in there since it doesn't break anything. Lazy? Perhaps, but I'd
like to consider it "forward-thinking" instead ;)



Similarly, the Sasser/Korgo worm rule (SID 2001286 Rev 10) uses
"flowbits: isset,netbios.lsass.bind.attempt;" but I can't find a rule 
that sets "netbios.lsass.bind.attempt".


I wondered about that myself. I think that's a remnant from an external
contribution, Joe Stewart from LURHQ I believe. We could certainly clean
that up, but a) it may break things in peoples setups where that is
actually used, and b) again, since it doesn't break anything, it's low
on the priority list.

All, would anyone be affected if we'd remove this?

Thanks,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Previous by Thread:  [Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules), Ellen L Mitchell
Next by Thread:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Indexes:  [Date] [Thread] [Top] [All Lists]