Snort mailing list archives
Re: Kuluoz-ishness
From: Nick Randolph <drandolph () sourcefire com>
Date: Thu, 11 Jul 2013 13:51:31 -0400
Thanks for the info James. I grabbed the sample listed in the pastebin link
and ran them here. They were picked up with sid:25675 which is already in
the community ruleset. I made some updates based on the samples and it
should be a much faster rule now. Here is what it looks like now
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC
Win.Trojan.Fakeavlock variant outbound connection";
flow:to_server,established; dsize:267<>276; content:"User-Agent|3A|
Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D
0A|"; fast_pattern:only; http_header; urilen:159;
pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,
www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/;
classtype:trojan-activity; sid:25675; rev:7;)
On Wed, Jul 10, 2013 at 4:10 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 7/10/2013 13:44, James Lay wrote:Good info on that pastebin link.how long will that info be available there? i recall checking into pastebin or a similar site and they only held the data for a limited amount of time before it was purged to make room for more... perhaps it would be a good thing to grab that info and post it somewhere where it can remain without fear of being dumped? -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Kuluoz-ishness James Lay (Jul 10)
- Re: Kuluoz-ishness waldo kitty (Jul 10)
- Re: Kuluoz-ishness Nick Randolph (Jul 11)
- Re: Kuluoz-ishness James Lay (Jul 11)
- Re: Kuluoz-ishness Nick Randolph (Jul 11)
- Re: Kuluoz-ishness waldo kitty (Jul 10)