[Firekeeper] Rules Question
Jan Wrobel
wrobel at blues.ath.cx
Thu Mar 29 02:42:56 PST 2007
On Fri, 23 Mar 2007, R. Williams wrote:
> Greetings,
>
> I just read an article from http://www.secureworks.com discussing the Gozi
> Trojan and at the end of the article; they included 3 Snort rules to help
> protect against this threat. I copied and saved the snort rules as a .txt
> file and then added that local file to the Firekeeper Rules. I noticed that
> all three rules had the following Parsing errors:
>
> Error at line 1: Rule has to have form: action (options)
> Error at line 3: Rule has to have form: action (options)
> Error at line 5: Rule has to have form: action (options)
>
> Is this okay or do I need to make a modification? The article can be found
> at: http://www.secureworks.com/research/threats/gozi/?threat=gozi
>
You are not the first one that asks about these Gozi Trojan detection
rules ;)
The problem is that these rules are detecting the trojan's outbound
communications. This data is not received by the browser so it can't
be detected by Firekeeper. Article says that trojan spreads through IE
browser exploit. Firekeeper could be used to detect pages that host
this exploit but in this article there are no details how this exploit
can be detected not even what kind of exploit it is.
Cheers,
Jan
More information about the Firekeeper
mailing list