Snort mailing list archives
Re: Quick Android/Fakelash.A!tr.spy sig
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Sep 2012 19:51:38 -0400
Thanks James. I'll see if we have pcaps. -- Joel Esler On Sep 21, 2012, at 5:14 PM, James Lay <jlay () slave-tothe-box net> wrote:
Maybe add the /data.php?action=add? Not sure...sanity checked, but not much more as I don't have pcaps. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"=hithere"; content:"=1234"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:10000028; rev:1;) As always, comments and improvements welcome. Thanks all! James ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick Android/Fakelash.A!tr.spy sig James Lay (Sep 21)
- Re: Quick Android/Fakelash.A!tr.spy sig Joel Esler (Sep 21)
- Re: Quick Android/Fakelash.A!tr.spy sig Joel Esler (Sep 24)
- Re: Quick Android/Fakelash.A!tr.spy sig James Lay (Sep 24)