cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
0
Helpful
1
Replies

MALWARE-BACKDOOR wow 23 runtime detection

Please explain this rule how it works.

 

Is it detecting the alert based only on the content "R|00|23".  Please explain how to figure this out.

 

IPS Rule:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established; content:"R|00|23"; depth:4; detection_filter:track by_src, count 3, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:6; )

 

1 Reply 1

atatistc
Cisco Employee
Cisco Employee

The string is apparently something found in the WOW 23 trojan horse program network communications.  The rule is only enabled today in the Security Over Connectivity rule set which means it probably has more false positives.  The real question is do you need a 10 year old Snort rule enabled?  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card