Bot registration and heartbeat
alert tcp any any -> any 23 (msg:"Mirai Botnet: Register Bot with C&C"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; sid:1000000; rev:1)
alert tcp any any -> any 23 (msg:"Mirai Botnet: Send Heartbeat from Bot to C&C"; flow:to_server,established; content:"|00 00|"; depth:2; pcre:"/^\x00\x00$/m";
sid:1000001; rev:1)
alert tcp any 23 -> any any (msg:"Mirai Botnet: Reply Heartbeat from C&C to Bot"; flow:from_server,established; content:"|00 00|"; depth:2; pcre:"/^\x00\x00$/m";
sid:1000002; rev:1)
Bot downloader download
alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Download Bot Downloader via Telnet (echo)"; flow:to_server,established; content:"echo -ne '"; content:"' > upnp|3b|
/bin/busybox ECCHI"; sid:1000060; rev:1)
Bot binary download command execution
alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Download Bot binary via Telnet (wget)"; flow:to_server,established; content:"/bin/busybox wget http://";
content:"/bins/mirai."; content:"-O - > dvrHelper|3b| /bin/busybox chmod 777 dvrHelper|3b| /bin/busybox ECCHI"; sid:1000070; rev:1)
alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Download Bot binary via Telnet (tftp)"; flow:to_server,established; content:"/bin/busybox tftp "; content:" -g -l
dvrHelper -r mirai."; content:"/bin/busybox chmod 777 dvrHelper|3b| /bin/busybox ECCHI"; sid:1000071; rev:1)
Bot binary download communications
alert tcp any any -> any 80 (msg:"Mirai Botnet: Download Bot binary via HTTP"; flow:to_server,established; content:"GET /bins/mirai."; pcre:"/^GET
/bins/mirai.(arm|arm7|m68k|mips|mpsl|ppc|sh4|spc|x86) HTTP/1.[01]|0d 0a|$/mi"; sid:1000080; rev:1)
alert udp any any -> any 69 (msg:"Mirai Botnet: Download Bot binary via TFTP"; flow:to_server; content:"|00 01|mirai."; pcre:"/^\x00\x01mirai.(arm|arm7|m68k|mips|mpsl|ppc|sh4|spc|x86)\x00.+$/mi"; sid:1000081; rev:1)
Bot execution
alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Run Bot binary (upnp & dvrHelper)"; flow:to_server,established; content:"./upnp|3b| ./dvrHelper telnet.";
content:"/bin/busybox IHCCE"; pcre:"/^.\/upnp\; .\/dvrHelper telnet.(arm|arm7|m68k|mips|mpsl|ppc|sh4|spc|x86)\; \/bin\/busybox IHCCE/m"; sid:1000090; rev:1)
alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Run Bot binary (dvrHelper)"; flow:to_server,established; content:"./dvrHelper telnet."; content:"/bin/busybox IHCCE";
pcre:"/^.\/dvrHelper telnet.(arm|arm7|m68k|mips|mpsl|ppc|sh4|spc|x86)\; \/bin\/busybox IHCCE/m"; sid:1000091; rev:1)
vi /etc/snort/rules/local.rules
https://www.iij.ad.jp/en/dev/iir/pdf/iir_vol33_infra_EN.pdf