[unisog] New Bot variants making rounds

Michael Holstein michael.holstein at csuohio.edu
Mon Apr 4 18:29:18 GMT 2005


Jason Brooks wrote:
> Is "RogueIRC" from the bleedingsnort rules? 

I don't think so -- not originally at least. I believe they came from 
EDUCAUSE but don't quote me on that.

Here is what I'm using in case you're interested. I removed the 'tag' 
directive since it dosen't work right with SQL output anyway. I also 
changed the "ignore" ports to include smtp.

~Mike.

alert tcp $HOME_NET !21:443 -> any !80:25 (content:"PRIVMSG"; nocase:;\
content:"Exploit"; nocase:; within:80;\
msg:"Possible RogueIRC (Exploit)"; classtype:trojan-activity;\
sid:1000168; rev:6;)
alert tcp $HOME_NET !21:443 -> any !80:25 (content:"PRIVMSG"; nocase:;\
content:"lsass"; nocase:; within:80;\
msg:"Possible RogueIRC (lsass)"; classtype:trojan-activity;\
sid:1000168; rev:6;)
alert tcp $HOME_NET !21:443 -> any !80:25 (content:"PRIVMSG"; nocase:;\
content:"Scan"; nocase:; within:80;\
msg:"Possible RogueIRC (Scan)"; classtype:trojan-activity;\
sid:1000168; rev:6;)
alert tcp $HOME_NET !21:443 -> any !80:25 (content:"PRIVMSG"; nocase:;\
content:"zombie"; nocase:; within:80;\
msg:"Possible RogueIRC (zombie)"; classtype:trojan-activity;\
sid:1000168; rev:6;)



More information about the unisog mailing list