alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P? CnC?"; dsize:72; content:!"|AA AA AA AA AA AA AA|"; depth:63; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:14;)

Added 2017-01-25 17:30:21 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P? CnC?"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:8;)

Added 2012-03-07 18:45:04 UTC

FPs with traffic associates with slingbox.com

-- RussellFulton - 31 Mar 2012


alert udp $HOME_NET 1024: -> [$EXTERNAL_NET,!70.42.244.150] ![53,5680,5681] (msg:"ET TROJAN Zeus P2P? CnC?"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:7;)

Added 2012-03-06 08:09:05 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET ![53,5680,5681] (msg:"ET TROJAN Zeus P2P? CnC?"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:6;)

Added 2012-03-05 18:21:56 UTC


alert udp $HOME_NET 1024: -> $EXTERNAL_NET ! 53 (msg:"ET TROJAN Zeus/Aeausuc or Unknown P2P? Bot"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:5;)

Added 2011-10-20 15:10:34 UTC

Traffic to udp/5680,5681 on Sling Media ASNs may be Sling client traffic and a false positive.

-- KimCary - 21 Nov 2011


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 53 (msg:"ET TROJAN Zeus/Aeausuc or Unknown P2P? Bot"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:4;)

Added 2011-10-12 19:37:25 UTC

I have a Scopia Conference Server (by RADVISION) that appears to trip this rule constantly, apparently during conferences with in-house or external hosts. Looks like a false positive to me but I don't see an obvious way to fix the rule other than locally whitelisting the Scopia server.

-- KevinBranch - 19 Oct 2011


alert udp $HOME_NET 1024: -> $EXTERNAL_NET 53 (msg:"ET TROJAN Aeausuc or Unknown P2P? Bot"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; classtype:trojan-activity; sid:2013739; rev:3;)

Added 2011-10-06 11:45:44 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN ZeuS? P2P? Communication 1"; byte_extract:4,63,padding; byte_test:4,=,padding,67; dsize:72; classtype:trojan-activity; sid:2013739; rev:2;)

Added 2011-10-05 23:23:02 UTC


Added 2011-10-05 06:38:21 UTC


Topic revision: r5 - 2012-03-31 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats