Snort mailing list archives
TROJ_NAIKON.A sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Apr 2013 13:35:03 -0600
And another (slow day) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"INDICATOR-COMPROMISED TROJ_NAIKON.A User-Agent"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2f|WEB"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:10000050; rev:1;) I'm thinking file_data isn't needed as we're just looking at headers? James ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TROJ_NAIKON.A sig James Lay (Apr 26)
- Re: [Emerging-Sigs] TROJ_NAIKON.A sig Will Metcalf (Apr 29)
- Re: [Snort-sigs] [Emerging-Sigs] TROJ_NAIKON.A sig James Lay (Apr 26)
- Re: [Emerging-Sigs] TROJ_NAIKON.A sig Will Metcalf (Apr 29)