Home page logo
/

snort logo Snort mailing list archives

Re: Travnet and PCRat sigs
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 14 May 2013 15:14:52 -0600

On 2013-05-14 14:51, rmkml wrote:
Hi James,

Thx for sharing,

no http_uri on first sig ?

Regards
Rmkml

Heh...Rm always catches me!  Yea...I should make it like yonder:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Travnet Botnet data upload"; flow:to_server,established; content:"GET"; 
http_method; http_uri; content:"hostid="; http_uri; 
content:"|26|hostname="; within:16; http_uri; content:"|26|hostip="; 
http_uri; metadata:policy balanced-ips drop, policy security-ips drop, 
service http; 
reference:url,http://blogs.mcafee.com/mcafee-labs/travnet-botnet-controls-victims-with-remote-admin-tool; 
classtype:trojan-activity; sid:10000057; rev:2)

Thanks Rm...your sharp eye helps a lot.

James

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]