Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1992
Views
0
Helpful
1
Replies

MALWARE-BACKDOOR wow 23 runtime detection

ramachandran.gunasekaran
Level 1
Level 1

‎05-29-2017 07:49 AM

Please explain this rule how it works.

 

Is it detecting the alert based only on the content "R|00|23".  Please explain how to figure this out.

 

IPS Rule:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established; content:"R|00|23"; depth:4; detection_filter:track by_src, count 3, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:6; )

 

Labels:
0 Helpful
1 Reply 1

atatistc
Cisco Employee
Cisco Employee

‎05-31-2017 08:02 PM

The string is apparently something found in the WOW 23 trojan horse program network communications.  The rule is only enabled today in the Security Over Connectivity rule set which means it probably has more false positives.  The real question is do you need a 10 year old Snort rule enabled?  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top