The domains listed in these Snort rules are no longer live as Microsoft has sinkholed DNS requests to these domains. To maximize the effectiveness of Snort for detecting the malware, it’s a good idea to check all computers against all rules. This is one of several examples of a Snort rule that can be used to detect the Sunburst malware. Looks for the string within the hostname.Prints the message on finding a match.Examines TCP connections from any IP address and any port to any IP address and any port.However, understanding the basics of how Snort rules are formatted is a useful skill. It’s not necessary to understand how Snort rules work and are written to use these for detecting the Sunburst malware on a system. An example of one of these Snort rules is:Īlert tcp any any -> any any (msg:”” content:”T “ offset:2 depth:3 content:”Host:” content:”” within:100 sid:77600853 rev:1 ) The dataset of IoCs provided by FireEye is formatted as a collection of Snort rules.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |