Kalo masuk ke symantec, bagian yang menerangkan suatu virus, kadang aku lihat ada signature untuk symantect ManHunt seperti di bawah ini:
*******************start file********************
alert tcp any any -> any 25 (msg:"BugBear B SMTP Worm Propagation"; content:"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA";)
alert tcp any any -> any 139 (msg:"BugBear B Network Worm Propagation"; content:"|0B010600002001000010000000E006002001080000F006000010080000004000001000000002
000004000000000000000400000000000000002008000010000000000000020000000000100000100000
000010000010000000000000100000000000000000000000001008006401000000000000000000000000
0000000000000000000000000000641108000C|"; content:"|555058300000000000E0060000100000|";)
*************EOF*********************
*******************start file********************
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|p"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|e"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|f"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|s"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|c"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|o"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|k"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|d"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|r"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|h"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|i"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|z"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|y"; offset: 20; depth: 2; dsize:>21; )
alert tcp any any -> any 1080 (msg: "BugBear B Backdoor Attack"; content: "|3b|t"; offset: 20; depth: 2; dsize:>21; )
*************EOF*********************
Apakah ada utility linux-based yang bisa menggunakan signature di atas?
Kelihatannya rule tersebut bisa di apply di iptables, tapi aku nggak ngerti nerjemahin ke rule iptables... ada yang ngerti?
thanks.
-- dapidc
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]