Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trojan Linkup sig

From: Y M <snort () outlook com>
Date: Wed, 5 Feb 2014 02:46:38 +0000
Thanks Carlos.
 
YM
 
Date: Tue, 4 Feb 2014 16:15:11 -0500
Subject: Re: [Snort-sigs] Trojan Linkup sig
From: cpacho () sourcefire com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net

We will get this rule added to the community ruleset.

Thanks!
Carlos Pacho
Research Engineer, VRT

Sourcefire, now part of Cisco
cpacho () sourcefire com
Sourcefire.com


On Tue, Feb 4, 2014 at 1:24 PM, Y M <snort () outlook com> wrote:




alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection attempt"; 
flow:to_server,established; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri; 
content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; http_client_body; fast_pattern:only; metadata: 
impact_flag red, policy balanced-ips drop, policy security-drop ips, ruleset community, service http; 
reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; 
classtype:trojan-activity; sid: 100155; rev:1;)

 
Thanks
YM
                                          

------------------------------------------------------------------------------

Managing the Performance of Cloud-Based Applications

Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.

Read the Whitepaper.

http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________


Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!

                                          
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: