Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1839
Views
0
Helpful
1
Replies

MALWARE-BACKDOOR wow 23 runtime detection

ramachandran.gunasekaran
Level 1
Level 1

‎05-29-2017 07:49 AM

Please explain this rule how it works.

 

Is it detecting the alert based only on the content "R|00|23".  Please explain how to figure this out.

 

IPS Rule:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established; content:"R|00|23"; depth:4; detection_filter:track by_src, count 3, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:6; )

 

Labels:
0 Helpful
1 Reply 1

atatistc
Cisco Employee
Cisco Employee

‎05-31-2017 08:02 PM

The string is apparently something found in the WOW 23 trojan horse program network communications.  The rule is only enabled today in the Security Over Connectivity rule set which means it probably has more false positives.  The real question is do you need a 10 year old Snort rule enabled?  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card