![snort logo](/images/snort-logo.png)
Snort mailing list archives
Possible Dridex C2 UA sig
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Feb 2015 12:08:00 -0700
Topic says it...went with two content's and the fast_pattern instead of pcre: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible Dridex C2 User Agent (AnyEvent)"; flow:to_server,established; content:"User-Agent|3a|"; content:"AnyEvent-HTTP"; http_header; fast_pattern:only; reference:url,software.schmorp.de/pkg/AnyEvent; classtype:trojan-activity; sid:10000152; rev:1;) James ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible Dridex C2 UA sig James Lay (Feb 19)