Skip navigation.
Home

Dasher Variant Traffic, Known WMF provider, and traffic to bad netblocks

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OFFENSIVE COMPUTING]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OFFENSIVE COMPUTING]Dasher Variant SYN scanning home";sid:66600002;rev:1)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

alert tcp $HOME_NET any -> [69.50.160.0/19,85.255.112.0/20] any (msg:"[OFFENSIVE COMPUTING] Traffic to naughty netblocks - WMF";refrence:url,http://isc.sans.org/diary.php?storyid=997;sid:66600005;rev:1;)

lets get these moved

and attached to the actual malware entries they correspond to. That way in 6 months when someone wants everything about dasher they can search dasher and find one entry with all the relevant data.

Thanks,

V.

Will do. Most of these are

Will do. Most of these are attached to the exploit entries, Im using my blog area as an archive / one stop to get all sigs.

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior