Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Osx.Trojan.OceanLotus

From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 17 Feb 2017 15:43:43 -0500
Yaser,

Thanks for your submission. We will review the rule and get back to you
when its finished.

Sincerely,

Tyler Montier
Cisco Talos

On Fri, Feb 17, 2017 at 11:18 AM, Y M <snort () outlook com> wrote:


Hello,


This one is a bit old, but I did not find an existing signature for it.
The signature is derived from the reference article. No pcaps available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.OceanLotus outbound connection attempt";
flow:to_server,established; content:"GET"; http_method;
content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri;
content:"?q="; http_uri; content:!"User-Agent"; http_header;
content:!"Connection"; http_header; metadata:ruleset community, service
http; reference:url,www.alienvault.com/blogs/labs-research/
oceanlotus-for-os-x-an-application-bundle-pretending-
to-be-an-adobe-flash-update; classtype:trojan-activity; sid:1000843;
rev:1;)


Thanks.

YM

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: