01-21-2010 08:03 AM - edited 03-10-2019 04:52 AM
I am running an SSM_10 and am curious does any konw the sig to block the torpig, sinowal rootkit. My ISP is telling me it is in our network but I can't seem to find it. I want to block the traffic, if possible via my IPS module.
Thanks,
D
01-25-2010 12:53 PM
Hi saw a few Torpig detections on my network about a week ago, but they were caught by a Snort IPS sensor running the Emerging Threat sigs. The Cisco IPS sensors didn't blink an eye, but traditionally they don't for Trojan/Malware infections. Cisco just doesn't seem to put much effort in developing malware/trojan; not sure why since I've caught MANY infected machines on my network with the ET sigs.
There are two ET sigs for Torpig (from http://emergingthreats.net/index.php/rules-mainmenu-38.html)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; uricontent:"/x25.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2002762; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; uricontent:"/wur8.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2003066; rev:3;)
You can create a custom sig for it, using the HTTP engine, and doing an Argument Name RegEx that matches the URICONTENT fields in the ET sigs. For example, using the ET sig above:
URI Regex: /wur8.php
URI Content:((?id=).*(&sv=).*(&ip=).*(&sport=).*(&hport=).*(&os=).*)
Cisco is big (and I agree) on making the detections case-insenstive, so you should really do: [^/][Ww][Uu][Rr][8]
Please be really careful with developing custom sigs, especially ones that use RegEx - you can really bork your Sensor.
02-18-2010 12:39 PM
We have had and still have problems with it too. We were elated when Cisco
FINALLY added the signatures to the IPS. Of course, then we found out it didn
't work. The IPS doesn't see it.
Hopefully, Cisco will fix this for its customer base.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: