|
-
April 8th, 2008, 05:33 PM
#8
"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
First of all, I'd like to formally say, "I told you so." LOL. All of these products are useless in today's threat landscape.
Second, the reason these things aren't catching the traffic is because it's inserted into "normal" traffic streams via customized protocol sets developed by the developer(s). Is anyone truly surprised by this?
Morganlefay, see here:
http://isc.sans.org/diary.html?storyid=4256&rss
While no headers are available (yet) you can look for this 8 byte payload data string which is reported to be fixed (perhaps a session string) for this bot:
4d f4 d5 17 dc 04 c1 2e
Of course this will be process intensive at large organizations. I've currently setup a packet filter rule looking for the above string. Nothing has come across my drag net....yet.
Or you can grab some rules that others have written here:
http://doc.emergingthreats.net/bin/view/Main/OdeRoor
--TH13
Last edited by thehorse13; April 8th, 2008 at 05:47 PM.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Similar Threads
-
By Egaladeist in forum Security News
Replies: 0
Last Post: October 24th, 2005, 06:47 AM
-
By White Scorpion in forum Other Tutorials Forum
Replies: 3
Last Post: February 13th, 2005, 10:44 PM
-
By ali1 in forum Spyware / Adware
Replies: 62
Last Post: April 22nd, 2004, 10:56 PM
-
By dwcnmv in forum Programming Security
Replies: 9
Last Post: October 8th, 2003, 12:27 AM
-
By Spyder32 in forum Cosmos
Replies: 15
Last Post: December 23rd, 2002, 09:25 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote