Snort mailing list archives
FindPOS sig
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Mar 2015 14:34:35 -0600
Quick and dirty and sanity checked only. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FindPOS C&C"; flow:to_server,established; content:"POST"; http_method; content:"uid="; fast_pattern; http_client_body; content:"win="; http_client_body; content:"vers="; http_client_body; content:"logs="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered; classtype:trojan-activity; sid:10000155; rev:1;) James ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FindPOS sig James Lay (Mar 19)