Snort rules for Etumbot

June 9, 2014 Arbor Networks

Since publication of the Etumbot blog on Friday, June 6th, we’ve received numerous requests to publish Snort rules for the network indicators described therein. You can find Snort rules for the Etumbot C&C communications on Arbor’s github at

While we are not Snort syntax experts, we have performed basic testing for the Etumbot communications we’ve been able to observe over the wire. Specifically, the first three Snort rules for Etumbot RC4 Key Request, Etumbot Registration Request, and EtumBot Ping all triggered successfully when the corresponding network traffic was observed.

Remember to change the SIDs as appropriate for your environment. We also anticipate these rules will be incorporated into the EmergingThreats Open feed in the very near term.


Previous Article
The Citadel and Gameover Campaigns of 5CB682C10440B2EBAF9F28C1FE438468
The Citadel and Gameover Campaigns of 5CB682C10440B2EBAF9F28C1FE438468

As the infosec community waits for the researchers involved to present their...

Next Article
Illuminating The Etumbot APT Backdoor

The Arbor Security Engineering Response Team (ASERT) has released a research...