427 Botnet fm qxd

and only basic testing is applied by VRT—that is, sufficient to ensure that
they don’t break the application. However, community rules are often
expertly created and rigorously tested by the community before they are sub-
mitted to VRT.
The Bleedingsnort resource at www.bleedingsnort.com is a source of
“bleeding-edge” rules and signatures of variable quality.Their usefulness
depends, again, on the constructional and testing abilities of their creator.
Rolling Your Own
Here are two Snort signatures created by (and used by kind permission of )
Joe Stewart and published as part of an analysis of Phatbot (www.lurhq.com/
phatbot.html):
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful";
flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d
0a|"; dsize:40; classtype:trojan-activity;
reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)
We can’t do more than suggest the rich functionality offered by Snort sig-
natures, but here’s a brief guide as to how this one works:
■
[alert tcp]
instructs the software to send an alert when the signature
later in the rule is seen in a TCP packet. (Snort can also scan UDP
and ICMP traffic.)
■
The first 
any
defines the IP range for which the alert should trigger.
In this case, it applies whether the IP address is local or external.
■
The second 
any
means that the alert should trigger irrespective of
TCP port.
■
[-> any any]
tells us that the alert should trigger irrespective of the
location of the target IP and on any port (again, this will be a TCP
port in this case).
■
[(msg:”Agobot/Phatbot Infection Successful”;]
specifies the text to be
used by the alert to identify the event.The message may be sent via
an external program as well as to the screen or log file.
■
The 
flow
keyword establishes the direction of the traffic flow. In this
case, the alert will trigger only on established connections.

Download 6,98 Mb.

Do'stlaringiz bilan baham: