Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FindPOS sig

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Mar 2015 14:34:35 -0600
Quick and dirty and sanity checked only.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
FindPOS C&C"; flow:to_server,established; content:"POST"; http_method; 
content:"uid="; fast_pattern; http_client_body; content:"win="; 
http_client_body; content:"vers="; http_client_body; content:"logs="; 
http_client_body; metadata:impact_flag red, policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered; 
classtype:trojan-activity; sid:10000155; rev:1;)

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: