Snort mailing list archives
Re: MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188)
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 19 Jan 2016 21:33:16 +0000
Elliot — I’ll have someone take a look at this.. However, have you looked at sid 35448? -- [cid:AB24196E-C2C1-4B75-8152-92E8AC5EBF39@home] Joel Esler Manager, Open Source & Threat Intelligence Talos jesler () cisco com<mailto:jesler () cisco com> On Jan 19, 2016, at 3:56 PM, Elliot Anderson <new.http.451 () gmail com<mailto:new.http.451 () gmail com>> wrote: Hello all, Anybody struggled with the 1:33188 sig previously. The thing is that this signature: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection”; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; content:"Host|3A 20|www.ecb.europa.eu<http://www.ecb.europa.eu/>|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:4; ) Quite often triggers on legitimate traffic not associated with any CNC connections, just simple browsing and request for file from the European Central Bank (ECB) which contains the last 90 days of “Euro foreign exchange reference rates” and is updated daily. However Trojan Bedep uses it as part of DGA scheme. Are there any supplement signatures for this activity cause this one isn't working exactly the way we would like and expect it to work. Thanks for any comments, Elliot ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188) Elliot Anderson (Jan 19)
- Re: MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188) rmkml (Jan 19)
- Re: MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188) Joel Esler (jesler) (Jan 19)
- Re: MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188) Elliot Anderson (Jan 19)
- Re: MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188) Alex McDonnell (Jan 19)
- Re: MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188) Elliot Anderson (Jan 20)