Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible Dridex C2 UA sig

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Feb 2015 12:08:00 -0700
Topic says it...went with two content's and the fast_pattern instead of 
pcre:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Possible Dridex C2 User Agent (AnyEvent)"; 
flow:to_server,established; content:"User-Agent|3a|"; 
content:"AnyEvent-HTTP"; http_header; fast_pattern:only; 
reference:url,software.schmorp.de/pkg/AnyEvent; 
classtype:trojan-activity; sid:10000152; rev:1;)

James

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: