Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Additional KanKan sig

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 16 Oct 2013 08:49:43 -0600
With a BIG thanks to Joan Calvet from ESET who got me this great 
additional information:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Win32.KanKan executable install"; 
flow:to_server,established; content:"|26|u1=OAINST|26|u2="; http_uri; 
fast_pattern:only; content:"|26|u3="; http_uri; content:"|26|u4="; 
http_uri; content:"|26|u5=inststart"; http_uri; metadata:policy 
balanced-ips drop, policy security-ips drop, service http, ruleset 
community; 
reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama; 
classtype:trojan-activity; sid:10000107; rev:1;)

Thanks all.

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: