(http://www.arbornetworks.com/ asert) DDoS & Security Reports
THE ARBOR NETWORKS IT SECURITY BLOG
HOME (/ASERT/) | ATTACK MAP (HTTP://WWW.ARB ORNETWORKS.COM/ASERT/MAP/) | ARCHIVES (HTTP://WWW.ARB ORNETWORKS.COM/ASERT/ARCHIVES/) | AB OUT (HTTP://WWW.ARB ORNETWORKS.COM/ASERT/AB OUT/) | RSS (/ASERT/FEED/)
Search
Snort rules for Etumbot BY: ARBOR NETWORKS (HTTP://WWW.ARBORNETWORKS.COM/ASERT/AUTHOR/ARBOR-NETWORKS) - 06/10/2014 (http://www.arbornetworks.com/asert/2014/06/snortrules-for-etumbot/)
Since publication of the Etumbot blog (http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/) on Friday, June 6th, we’ve received numerous requests to publish Snort rules for the network indicators described therein. You can find Snort rules for the Etumbot C&C communications on Arbor’s github at https://github.com/arbor/snort/blob/master/etumbot.rules (https://github.com/arbor/snort/blob/master/etumbot.rules) While we are not Snort syntax experts, we have performed basic testing for the Etumbot communications we’ve been able to observe over the wire. Specifically, the first three Snort rules for Etumbot RC4 Key Request, Etumbot Registration Request, and EtumBot Ping all triggered successfully when the corresponding network traffic was observed. Remember to change the SIDs as appropriate for your environment. We also anticipate these rules will be incorporated into the EmergingThreats Open feed in the very near term.
< Previous Post (http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/)
Name Email
Website (Optional)
Comment
SUBMIT COMMENT
FEATURING
This blog is the public home of our research, commentary, analysis and industry observations. Like the company itself, our blog features a wide variety of talented individual contributors, from world-renowned security researchers on Arborâ&#x20AC;&#x2122;s Security Engineering & Response Team (ASERT) to product managers, engineers and architects, to the office of the CTO. As experts, they all bring an interesting mix of subject matter expertise and experience to the conversation.
Arbor is a company with a history rooted in groundbreaking research at the University of Michigan a decade ago, and we remain researchers at heart. We hope you find our perspective interesting and we welcome your comments and feedback.
LIVE DATA FEED
5416
83.5
DDOS ATTACKS PER DAY WORLDWIDE
Feed based on ATLAS data
PEAK ATTACK IN GB PS PAS T 24 HOURS
70
ACTIVE B OTNETS DETECTED
5416
DDOS ATTACKS PER DAY WORLDWIDE
(http://atlas.arbor.net)
TAG CLOUD
"End of Internet" (http://www.arbornetworks.com/asert/tag/end-of-internet/) 504 (http://www.arbornetworks.com/asert/tag/504/)
500 Internal DDoS (http://www.arbornetworks.com/asert/tag/500-internal-ddos/)
Add new tag (http://www.arbornetworks.com/asert/tag/add-new-tag/)
AlbaDDoS
(http://www.arbornetworks.com/asert/tag/albaddos/) Aldi (http://www.arbornetworks.com/asert/tag/aldi/) Aldi Bot (http://www.arbornetworks.com/asert/tag/aldi-bot/) algorithm
Arbor Networks - DDoS Experts (http://www.arbornetworks.com/asert/tag/arbornetworks-ddos-experts/) Armageddon (http://www.arbornetworks.com/asert/tag/armageddon/) attack (http://www.arbornetworks.com/asert/tag/algorithm/)
(http://www.arbornetworks.com/asert/tag/attack/) Attacks (http://www.arbornetworks.com/asert/tag/attacks/) Beer DDoS (http://www.arbornetworks.com/asert/tag/beer-ddos/)
BGP (http://www.arbornetworks.com/asert/tag/bgp/) Black Peace Group (http://www.arbornetworks.com/asert/tag/black-peace-group/) Bot (http://www.arbornetworks.com/asert/tag/bot/)
Botnet (http://www.arbornetworks.com/asert/tag/botnet/)
Botnets (http://www.arbornetworks.com/asert/tag/botnets/) China (http://www.arbornetworks.com/asert/tag/china/) Crypto (http://www.arbornetworks.com/asert/tag/crypto/) Danny McPherson (http://www.arbornetworks.com/asert/tag/danny-mcpherson/)
ddos (http://www.arbornetworks.com/asert/tag/ddos/) Denial-of-service attack
(http://www.arbornetworks.com/asert/tag/denial-of-service-attack/) Dirt Jumper (http://www.arbornetworks.com/asert/tag/dirt-jumper/) down (http://www.arbornetworks.com/asert/tag/down/) Facebook (http://www.arbornetworks.com/asert/tag/facebook/)
(http://www.arbornetworks.com/asert/tag/google/) Halloween (http://www.arbornetworks.com/asert/tag/halloween/) hijack (http://www.arbornetworks.com/asert/tag/hijack/) internet (http://www.arbornetworks.com/asert/tag/internet/) Internet Protocol
Internet service provider (http://www.arbornetworks.com/asert/tag/internet-service-provider/) Internet traffic (http://www.arbornetworks.com/asert/tag/internet-traffic/) IPv4 (http://www.arbornetworks.com/asert/tag/internet-protocol/)
(http://www.arbornetworks.com/asert/tag/ipv4/)
IPv6 (http://www.arbornetworks.com/asert/tag/ipv6/) Iran
(http://www.arbornetworks.com/asert/tag/iran/) malware (http://www.arbornetworks.com/asert/tag/malware-2/) network (http://www.arbornetworks.com/asert/tag/network/)
outage (http://www.arbornetworks.com/asert/tag/outage/) peering
(http://www.arbornetworks.com/asert/tag/peering/) Security
(http://www.arbornetworks.com/asert/tag/security/) Streaming media (http://www.arbornetworks.com/asert/tag/streaming-media/) traffic (http://www.arbornetworks.com/asert/tag/traffic/)
Wikileaks
(http://www.arbornetworks.com/asert/tag/wikileaks/) YouTube
(http://www.arbornetworks.com/asert/tag/youtube/)
Corporate Site | (/) Threat Portal | (/threats/) ATLAS Portal | (http://atlas.arbor.net) Privacy Policy | (/privacy-policy/) Legal (/legal-notice/) Š Copyright 2014 Arbor Networks, All rights reserved Arbor Networks is a global provider of DDoS attack prevention, network security and visibility solutions. To find out more, visit http://www.arbornetworks.com/ (http://www.arbornetworks.com/)
(http://www.linkedin.com/company/arbor-networks)
(https://twitter.com/arbornetworks)
(http://www.youtube.com/user/ArborNetworks)
(http://www.slideshare.net/Arbor_Networks) (http://www.youtube.com/user/ArborNetworks)