Snort mailing list archives
Re: KrakenHTTP botnet sig
From: Matt Mickel <mmickel () sourcefire com>
Date: Thu, 30 Apr 2015 14:53:27 -0400
Hi, James-This rule has been reviewed and committed to the community ruleset. In the committed version I used the within content modifier to enforce order and length. Additionally, I changed the formatting from:
uricontent:"idcontact.php|3F|"; to content:"idcontact.php|3F|"; http_uri; Thanks for your contribution! Best, Matt Mickel On 04/17/2015 11:03 AM, James Lay wrote:
This might be old news, but didn't see any sigs so here's one for it: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC KrakenHTTP C&C Traffic Detected"; flow:established,to_server; uricontent:"idcontact.php|3F|"; uricontent:"=|26|steam="; uricontent:"|26|origin="; uricontent:"|26|webnavig="; uricontent:"|26|java="; reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; classtype:bad-unknown; sid:10000157; rev:1;) Sanity tested only James ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- KrakenHTTP botnet sig James Lay (Apr 17)
- Re: KrakenHTTP botnet sig Matt Mickel (May 04)