|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Snort signatures for rxbot / rbot.gl
From: Christopher Harrington (charrington
nitrodata.com)
Date: Thu Aug 12 2004 - 11:31:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
For those interested here are a couple of Snort signatures for the
aforementioned rxbot / rbto.gl variant.
alert tcp $HOME_NET any -> any any (msg:"RXBOT / RBOT Exploit Report";
content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:
trojan-activity; reference:url,www.nitroguard.com/rxbot.html;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_
RBOT.GL; sid:1003620; rev: 1;)
alert tcp any any -> $HOME_NET any (msg:"RXBOT / RBOT Vulnerability Scan";
content:"|2E|advscan|20|"; nocase; classtype: trojan-activity;
reference:url,www.nitroguard.com/rxbot.html;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_
RBOT.GL;
reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning;
sid:1003621; rev: 1;)
--Chris
--
Christopher Harrington, CISSP
Director of Security Engineering
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]