(http://www.arbornetworks.com/ asert) DDoS & Security Reports
THE ARBOR NETWORKS IT SECURITY BLOG
HOME (/ASERT/) | ATTACK MAP (HTTP://WWW.ARB ORNETWORKS.COM/ASERT/MAP/) | ARCHIVES (HTTP://WWW.ARB ORNETWORKS.COM/ASERT/ARCHIVES/) | AB OUT (HTTP://WWW.ARB ORNETWORKS.COM/ASERT/AB OUT/) | RSS (/ASERT/FEED/)
Search
Snort rules for Etumbot BY: ARBOR NETWORKS (HTTP://WWW.ARBORNETWORKS.COM/ASERT/AUTHOR/ARBOR-NETWORKS) - 06/10/2014 (http://www.arbornetworks.com/asert/2014/06/snortrules-for-etumbot/)
Since publication of the Etumbot blog (http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/) on Friday, June 6th, we’ve received numerous requests to publish Snort rules for the network indicators described therein. You can find Snort rules for the Etumbot C&C communications on Arbor’s github at https://github.com/arbor/snort/blob/master/etumbot.rules (https://github.com/arbor/snort/blob/master/etumbot.rules) While we are not Snort syntax experts, we have performed basic testing for the Etumbot communications we’ve been able to observe over the wire. Specifically, the first three Snort rules for Etumbot RC4 Key Request, Etumbot Registration Request, and EtumBot Ping all triggered successfully when the corresponding network traffic was observed. Remember to change the SIDs as appropriate for your environment. We also anticipate these rules will be incorporated into the EmergingThreats Open feed in the very near term.