12 lines
437 B
Plaintext
12 lines
437 B
Plaintext
|
|
rule Backdoor_Linux_Gafgyt_BS_xp{
|
|
meta:
|
|
description = "Backdoor:Linux/Gafgyt.BS!xp,SIGNATURE_TYPE_ELFHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {a0 00 0b e5 a4 10 0b e5 a8 20 0b e5 ac 30 0b e5 00 30 a0 e3 9c 30 0b e5 a4 30 1b e5 98 30 0b e5 94 30 4b e2 10 30 0b e5 00 30 a0 e3 14 30 0b e5 06 00 00 } //01 00
|
|
$a_00_1 = {30 9f e5 00 10 93 e5 20 20 1b e5 24 30 1b e5 02 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |