[Community-sigs] new sig Linux.Backdoor.Concbak
andreisaygo at live.ie
andreisaygo at live.ie
Wed Mar 18 11:02:42 EDT 2015
Hi Alain,
That sounds even better, thanks :)
Would you accept snort rules generated by automated systems as well ?
For example: https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_R&D_Track_PIN_Down_the_Malware.pdf
Regards,
Andrei Saygo
> Date: Wed, 18 Mar 2015 10:52:23 -0400
> From: azidouemba at sourcefire.com
> To: community-sigs at lists.clamav.net
> Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
>
> If you know and are interested in providing Snort rules for malware
> samples, we will add your rules (again, after testing and tweaking if
> necessary) to the community ruleset:
>
> http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
>
> You'll of course be given credit for your Snort rules, just as you are
> given credit for your ClamAV signatures.
>
> Thank you very much for your contribution,
>
> - Alain
>
> On Wed, Mar 18, 2015 at 10:42 AM, <andreisaygo at live.ie> wrote:
>
> > Hi Ben,
> > Sounds great, thanks. I'll make sure to include similar info (if possible)
> > from now on.
> >
> > Regards,
> > Andrei Saygo
> > > Date: Wed, 18 Mar 2015 10:39:20 -0400
> > > From: bbaker at sourcefire.com
> > > To: community-sigs at lists.clamav.net
> > > Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
> > >
> > > Thanks Andrei! Your sig passed FP check and has been published. Since you
> > > included really unique network info, I'll make a Snort rule for that as
> > > well.
> > >
> > > On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
> > >
> > > > Signature:
> > > >
> > > >
> > Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
> > > >
> > > > Hashes:
> > > > MD5: 88119dc700357d2d486efb2d1369b105
> > > > SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
> > > > SHA256:
> > 6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
> > > >
> > > > Sig0:
> > > > /gate.php
> > > >
> > > > Sig1:
> > > > &pcname=
> > > >
> > > > Sig2:
> > > > &hwid=
> > > >
> > > > Sig3:
> > > > udpflood
> > > > Sig4:
> > > > backconnect
> > > > Sig5:
> > > > /etc/shadow
> > > >
> > > > Additional details:
> > > > Full link:
> > > > hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
> > > >
> > > > HTTP header:
> > > > User-Agent: Firefox.3.5
> > > > Referer: http://google.com/
> > > > Accept-Encoding: identity
> > > >
> > > >
> > > > Regards,
> > > > Andrei Saygo
> > > > _______________________________________________
> > > > Community-sigs mailing list
> > > > Community-sigs at lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list