Snort mailing list archives
Re: Osx.Trojan.OceanLotus
From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 17 Feb 2017 15:43:43 -0500
Yaser, Thanks for your submission. We will review the rule and get back to you when its finished. Sincerely, Tyler Montier Cisco Talos On Fri, Feb 17, 2017 at 11:18 AM, Y M <snort () outlook com> wrote:
Hello, This one is a bit old, but I did not find an existing signature for it. The signature is derived from the reference article. No pcaps available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; http_uri; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/ oceanlotus-for-os-x-an-application-bundle-pretending- to-be-an-adobe-flash-update; classtype:trojan-activity; sid:1000843; rev:1;) Thanks. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Osx.Trojan.OceanLotus Y M (Feb 17)
- Re: Osx.Trojan.OceanLotus Tyler Montier (Feb 17)