Category Archives: IDS Intrusion Detection Systems

Bro Logs Protocol Log Features Fields Description Cheat Sheet How To

State Meaning S0 Connection attempt seen, no reply S1 Connection established, not terminated (0 byte counts) SF Normal establish & termination (>0 byte counts) REJ Connection attempt rejected S2 Established, ORIG attempts close, no reply from RESP. S3 Established, RESP attempts close, no reply from ORIG. RSTO Established, ORIG aborted (RST) RSTR Established, RESP aborted… Read More »

Share Button

BRO vs Snort IDS Locky Ransomware tcpdump Traffic Sample Data Packet Analysis

(PCAP and Binary samples available with their usual password and location) Bro and Snort are completely different types of applications although they are commonly compared against one another. From a network security standpoint Snort can’t do much to detect new malware variants, obfuscation TTPs and other non-low hanging fruit we haven’t created a signature for.… Read More »

Share Button

SNORT – Effective Rule Writing Techniques – Constraining Snort Content Matches with Keyword Modifiers

Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security) You can constrain the location and case-sensitivity of content searches with options that modify the content keyword. Some examples are as follows: Nocase – You can instruct the detection engine to ignore case when searching for content matches in ASCII strings. Offset -The offset keyword… Read More »

Share Button

BRO IDS Signature to detect LURK0 Remote Access Trojan (RAT) Malware

##! Detects hosts involved with Bitcoin mining (or other cryptocurrencies ##! that share the same mining protocol like Litecoin, PPCoin, etc.). ##! ##! Bitcoin mining protocols typically involve the use of ##! `JSON-RPC <http://www.jsonrpc.org/specification>`_ requests to mining ##! pool servers to request work. JSON-RPC doesn’t require the use of a ##! particular transport protocol, but… Read More »

Share Button

Sanny Daws Trojan Malware E-Mail Spamming Threat + Snort Signatures

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET TROJAN > W32.Daws/Sanny CnC Initial Beacon”; flow:established,to_server; > content:”/list.php?db=”; http_uri; content:”Accept-Language|3A| ko-kr”; > http_header; classtype:trojan-activity; reference:url, > blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url, > contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; > sid:1318811; rev:1;) > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET TROJAN > W32.Daws/Sanny CnC POST”; flow:established,to_server; content:”POST”; > http_method; content:”/write.php”; http_uri; content:”Accept-Language|3A| >… Read More »

Share Button