Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: JackPOS sig

From: James Espinosa <jamesejr () gmail com>
Date: Tue, 11 Feb 2014 16:42:55 -0600
Thanks, James. Although, in the POST request referenced in the SpiderLabs
blog, the user agent string has a space (ie. User-Agent: something). I also
had issues producing an alert while testing. I removed the *file_data* keyword
from the rule and it fired correctly (the user agent string is seen in
requests going from internal to external (exfil), but not in the return
traffic). Please correct me if I'm wrong, but perhaps this might work?

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
User-Agent
detected"; flow:to_server,established; content:"User-Agent|3A| something";
http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, service http; reference:url,
blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html;
classtype:trojan-activity;
sid:10000125; rev:1;)


On Tue, Feb 11, 2014 at 2:46 PM, James Lay <jlay () slave-tothe-box net> wrote:


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
User-Agent detected"; flow:to_server,established; file_data;
content:"User-Agent|3A|something"; http_header; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service
http;
reference:url,
blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html;
classtype:trojan-activity; sid:10000125; rev:1;)

PoS Malware..what a pain.

James


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.

http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: