Snort mailing list archives
Detection for "niki-bot" and "Awesome Screenshot URL" spyware
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Thu, 14 Aug 2014 11:52:54 -0400
Source: https://mig5.net/content/awesome-screenshot-and-niki-bot alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT niki-bot"; flow:to_server,established; content:"User-Agent|3A| niki-bot"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; classtype:attempted-recon; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot; sid:1000000; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI POST request to /service2"; flow:to_server,established; content:"POST"; http_method; content:"/service2"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; classtype:successful-recon-limited; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot; sid:1000001; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain s1821.crdui.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|s1821|05|crdui|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot; classtype:attempted-recon; sid:1000002; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain webovernet.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|webovernet|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot; classtype:attempted-recon; sid:1000003; rev:1;) -- when does reality end? when does fantasy begin? ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detection for "niki-bot" and "Awesome Screenshot URL" spyware Tony Robinson (Aug 14)