427 Botnet fm qxd

■
[content:”221 Goodbye, have a good infection |3a 29 2e 0d 0a|”]
defines
the actual signature that will trigger the alert.
■
[dsize:40]
specifies the value against which the packet’s payload size
should be tested.
■
[classtype:trojan-activity]
denotes that the event is to be logged as
“trojan-activity,” but it could be logged as any registered “classtype.”
■
[reference:url,www.lurhq.com/phatbot.html]
denotes the external attack
reference ID—in this case, the URL for Joe’s analysis.
■
[sid:1000075]
signifies the Snort rule identifier.
■
[; rev 1;]
specifies the revision number. Obviously, you would incre-
ment this number as needed.
Here’s a supplementary signature from the same source:
alert tcp any any -> any any (msg:"Phatbot P2P Control Connection";
flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15;
classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html;
sid:1000076; rev:1;)
This signature is very similarly constructed to the first:
[within:15;]
speci-
fies that the two “content” patterns are to be within 15 bytes of each other.
However, Snort signatures can be used to counter a far wider range of
threats than bots.The following snippet is a signature created by Martin
Overton for W32/Netsky.P and used here as an example, again with his kind
permission:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32.NetSky.p@mm - MIME";
content: "X7soIUEAR4s3r1f/E5UzwK51/f4PdO/+D3UGR/83r+sJ/g8PhKLw/v9XVf9T";
classtype: misc-activity;)
■
[$EXTERNAL_NET any]
means that the rule should trigger on any
TCP port. (The 
any
keyword could be replaced by a specific port
such as 110, the TCP port used by a POP mail client.) However,
using the variable 
$EXTERNAL_NET
specifies that the rule should
trigger only if the offending packet comes from an external IP
address.

Download 6,98 Mb.

Do'stlaringiz bilan baham: