Improving Snort Rule Detection For Botnets
Snort has many good rules for detecting the most malicious threats, but with increased threats from even the most persistent botnets we need to keep on improving our past rules in order to defeat these threats. Since the Zeus botnet is so dangerous and malicious in the ways it attack it's victim, I thought of developing a whole new line of new rules for the Snort IDS. These rules are based on rule methodology that are used to develop a Snort based rule, but my rule just is specifically targeting the Zeus botnet. Botnets are one of the most challenging pieces of malware to not only detect, but eliminate.
I prefer developing my won Snort rules over finding other ones like it because each network or situation for securing a network is different. As botnet attacks grow and evolve we also need to adopt new innovations for defeating them.
I have attached my rule below so you can see what I'm talking about.
alert tcp $HOME NET any -> $EXTERNAL NET $HTTP PORTS (\ flow:established, to server; \ content:"|00 00 00 02|"; depth:4; offset:12;\ msg:"Possible Zeus Botnet DDOS attack with trojan"; \ connect: "zeusbank.com" ; nocase; \ classtype: attempted-dos Developed By Eric Dorman









