##alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; classtype:unknown; sid:2008780; rev:5;)

Added 2011-10-12 19:25:51 UTC


##alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; sid:2008780; rev:5;)

Added 2011-09-14 22:39:18 UTC


##alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008780; rev:5;)

Added 2011-02-04 17:27:59 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008780; rev:4;)

Added 2009-02-06 19:00:54 UTC

We had a system that was getting a LOT of these alerts. When investigating we found that the user was running a program called TeamViewer?, a remote control program along the lines of vnc.

-- JohnIves - 13 Feb 2009


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008780; rev:4;)

Added 2009-02-06 19:00:54 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; sid:2008780; rev:3;)

Added 2008-11-19 15:45:23 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; sid:2008780; rev:3;)

Added 2008-11-19 15:45:23 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive down"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; sid:2008780; rev:2;)

Added 2008-11-18 12:15:22 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive down"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; sid:2008780; rev:2;)

Added 2008-11-18 12:15:22 UTC


alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive down"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.unknownkeepaliveup; sid:2008780; rev:1;)

Added 2008-11-13 10:06:24 UTC


Topic revision: r2 - 2009-02-13 - JohnIves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats