##alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC? Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:7;)

Added 2012-10-02 22:49:23 UTC


#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC? Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:6;)

Added 2012-09-26 23:46:43 UTC


alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC? Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type limit, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:5;)

Added 2012-03-15 10:52:25 UTC

Any further falses on the new rev Stephane?

-- MattJonkman - 16 Mar 2012

We're seeing false positives on this from talkweb.eu domain lookups.

0000000: 33 64 00 00 00 01 00 00 00 00 00 00 07 74 61 6c 6b 77 65 62 02 65 75 00 00 01 3d...........talkweb.eu... 000001A: 00 01 ..

-- JoshLittle - 27 Apr 2012


alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC? Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x07[a-z]{7}\x02eu\x00\x00/"; classtype:trojan-activity; sid:2014371; rev:2;)

Added 2012-03-14 18:18:53 UTC

Saw FPs on resolution of www.toshiba.eu and www.storage.toshiba.eu

0000  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX   ........ ........
0010  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX   ........ ........
0020  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX 8b f8   ........ ........
0030  01 00 00 01 00 00 00 00  00 00 03 77 77 77 07 73   ........ ...www.s
0040  74 6f 72 61 67 65 07 74  6f 73 68 69 62 61 02 65   torage.t oshiba.e
0050  75 00 00 01 00 01                                  u.....           

-- StephaneChazelas - 15 Mar 2012


Topic revision: r4 - 2012-04-27 - JoshLittle
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats