Snort mailing list archives

Re: CobaltStrike certificate

From: wkitty42 () windstream net
Date: Mon, 12 Dec 2016 16:33:27 -0500

On 12/12/2016 03:30 PM, joshua burgess wrote:

That being said... What's wrong with this rule:

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert";
flow:established,from_server; content:"|6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b
a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)


is that extra space really in the thumb print?

s/6e ce  5e/6e ce 5e/

??

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

CobaltStrike certificate joshua burgess (Dec 12)
- Re: CobaltStrike certificate rmkml (Dec 12)
- Re: CobaltStrike certificate Joel Esler (jesler) (Dec 12)
- Re: CobaltStrike certificate wkitty42 (Dec 12)