[unisog] New Bot variants making rounds

Andreas Östling andreaso at it.su.se
Fri Apr 8 13:30:49 GMT 2005


On Thursday 07 April 2005 16:32, Tom Fischer wrote:
> this one is incorrect (not necessary PRIVMSGs and wrong direction;)
>
> Up to date bleedingsnort excerpt [1]:
>
> #From Tomfi
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN
> potential update/download IRC Bot command";
> pcre:"/((upda|getfile|dl|download)
> http\://|http\.(execute|download|update)|ftp\.(execute|download|update))/i"
>; flow:established; classtype:trojan-activity;
> reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php;
> reference:url,www.honeynet.org/papers/bots/; sid:2001786; rev:4;)
...

Snort sigs using only pcre matching and no 'content' check can have a huge 
performance impact on Snort though, especially if you can't restrict the sigs 
to watch specific ports/addresses etc. So I'd be very careful with running 
such sigs on a live system watching more than a small amount of traffic, 
although I'm sure they're great for doing post-analysis of packet dumps.

This has been discussed with the bleeding-snort folks and I think they have 
fixed a few (not all?) sigs. Just for fun, I did some tests a while ago with 
perfmonitor and perfmon-graph[0] just to see how a few of the pcre-only rules 
affected performance. Here is an example screenshot of Snort's packet drops 
before and after enabling the rules: http://people.su.se/~andreaso/drops.png
Not exactly a scientific test, but still. There are several ways to write 
CPU-heavy sigs so using perfmonitor is always nice.

[0] http://people.su.se/~andreaso/perfmon-graph/

/Andreas


More information about the unisog mailing list