Snort Sigs for MS06-042 and ICMP tunnel mentioned in Diary
Frank Knobbe sent in these signatures today via Bleedingsnort.com.
Note that on the signatures below I have added the "\" continuation character to get better formatting on the Storm Center page.
Signature for the ICMP Banking Trojan:
# By Joe Stewart, Based on valuable work by Tom Fisher
alert icmp any any -> any any (msg:"BLEEDING-EDGE TROJAN ICMP Banking Trojan \
sending encrypted stolen data"; dsize:>64; content:"|08|"; itype:8; icode:0; depth:1; \
byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; \
classtype:trojan-activity; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; \
sid:2003073; rev:1;)
The link to the signatures for ICMP tunnel
For the signatures for MS06-042, please refer to the link on bleedingsnort.com: signatures for MS06-042
Mike Poor
Intelguardians.com
Note that on the signatures below I have added the "\" continuation character to get better formatting on the Storm Center page.
Signature for the ICMP Banking Trojan:
# By Joe Stewart, Based on valuable work by Tom Fisher
alert icmp any any -> any any (msg:"BLEEDING-EDGE TROJAN ICMP Banking Trojan \
sending encrypted stolen data"; dsize:>64; content:"|08|"; itype:8; icode:0; depth:1; \
byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; \
classtype:trojan-activity; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; \
sid:2003073; rev:1;)
The link to the signatures for ICMP tunnel
For the signatures for MS06-042, please refer to the link on bleedingsnort.com: signatures for MS06-042
Mike Poor
Intelguardians.com
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments