5938724b6b41a834ac695529dd104ed0 2010 12 20 intentional 1.0 ordinary_users multi no proteas,dionisos,slart,cn1,panoptis 3,10,20,70 linux 2.6 DoS software install DoS loiq This signature predicts the usage of the Low Orbit Ion Cannon tool for DDoS attacks. as_a_result_of AND loiq executable OR (#userhome#/*,/site/*,/tmp/*,/temp/*) yes johnc loiq.pro textdata OR(#userhome#/*,/site/*,/tmp/*,/temp/*) johnc yes loiq.qrc textdata OR(#userhome#/*,site/*,/tmp/*,/temp/*) yes johnc single johnc OR (file-roller,tar,bunzip2) OR(/usr/bin/,/usr/local/bin) yes loiq*.bz2 any single * any OR (#userhome#/.mozilla/*,#userhome#/.opera) yes "http://sourceforge.net/projects/loiq" johnc #### my $twig = new XML::Twig::XPath( TwigHandlers => { #ITPSL header parsing data "/itpslsig/itpslheader/ontology/weightmatrix" => \&getwm, "/itpslsig/itpslheader/ontology/detectby" => \&getdetectmethods, "/itpslsig/itpslheader/ontology/os" => \&getos, "/itpslsig/itpslheader/ontology/osver" => \&getosver, #ITPSL body parsing data "/itpslsig/itpslbody/mainblock/mainop" => \&getmainop, "/itpslsig/itpslbody/mainblock" => \&getnoofsubblocks, "/itpslsig/itpslbody/mainblock/subblock" => \&parsesubs, }); # parse, handling nodes on the way $twig->parsefile( shift @ARGV ); #### Called parsesubs Directive is fileexists Pushing to sblockstack [0] [0] Directive is fileexists Pushing to sblockstack [0] [1] Directive is fileexists Pushing to sblockstack [0] [2] Called parsesubs Directive is userexec Pushing to sblockstack [1] [0] Called parsesubs Directive is fileexists Pushing to sblockstack [2] [0] $VAR1 = [ [ '##STARTOP:fileexists', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq.pro', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:ownedbyuser:johnc', '##operand:singlefile:yes', '##operand:filename:loiq.qrc', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##ENDOFOP##', '##operand:filename:loiq', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq.pro', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:ownedbyuser:johnc', '##operand:singlefile:yes', '##operand:filename:loiq.qrc', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq.pro', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:ownedbyuser:johnc', '##operand:singlefile:yes', '##operand:filename:loiq.qrc', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq.pro', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,/site/*,/tmp/*,/temp/*)', '##operand:ownedbyuser:johnc', '##operand:singlefile:yes', '##operand:filename:loiq.qrc', '##operand:type:textdata', '##operand:location:OR(#userhome#/*,site/*,/tmp/*,/temp/*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:*', '##operand:type:any', '##operand:location:OR (#userhome#/.mozilla/*,#userhome#/.opera)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc' ], [ '##STARTOP:fileexists', '##ENDOFOP##' ], [ '##STARTOP:fileexists', '##ENDOFOP##' ] ]; $VAR2 = [ [ '##STARTOP:userexec', '##operand:name:OR (file-roller,tar,bunzip2)', '##operand:path:OR(/usr/bin/,/usr/local/bin)', '##operand:singleprocess:yes', '##operand:argumentlist:loiq*.bz2', '##operandpattern:any', '##ENDOFOP##' ] ]; $VAR3 = [ [ '##STARTOP:fileexists', '##ENDOFOP##' ] ]; #### ... Directive is fileexists Pushing to sblockstack [2] [0] $VAR1 = [ [ '##STARTOP:fileexists', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/ +*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq', '##operand:type:textdata', '##ENDOFOP##' ], [ '##STARTOP:fileexists', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/ +*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq.pro', '##operand:type:textdata', '##ENDOFOP##' ], [ '##STARTOP:fileexists', '##operand:type:executable', '##operand:location:OR (#userhome#/*,/site/*,/tmp/*,/temp/ +*)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:loiq.qrc', '##operand:type:textdata', '##ENDOFOP##' ] ]; $VAR2 = [ [ '##STARTOP:userexec', '##operand:name:OR (file-roller,tar,bunzip2)', '##operand:path:OR(/usr/bin/,/usr/local/bin)', '##operand:singleprocess:yes', '##operand:argumentlist:loiq*.bz2', '##operandpattern:any', '##ENDOFOP##' ] ]; $VAR3 = [ [ '##STARTOP:fileexists', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc', '##operand:filename:*', '##operand:type:any', '##operand:location:OR (#userhome#/.mozilla/*,#userhome#/. +opera)', '##operand:singlefile:yes', '##operand:ownedbyuser:johnc' ] ];