Snort mailing list archives
Re: Andr.Trojan.Femas (ViperRAT)
From: Tyler Montier <tmontier () sourcefire com>
Date: Mon, 20 Feb 2017 10:33:13 -0500
Yaser, Thanks for your submission. We will review the rule and get back to you when its finished. Sincerely, Tyler Montier Cisco Talos On Sun, Feb 19, 2017 at 12:39 AM, Y M <snort () outlook com> wrote:
Hello, The below signature was derived from the articles from the reference. No pcaps available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas outbound connection"; flow:to_client,established; content:"POST"; http_method; content:"did="; http_client_body; content:"&method="; fast_pattern:only; content:".php"; http_uri; content:"|3B| Android "; http_header; content:"Accept-Encoding|3A 20|gzip|0D 0A|"; http_header; content:!"Accept|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/ blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; classtype:trojan-activity; sid:1000847; rev:1;) Thank you. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Andr.Trojan.Femas (ViperRAT) Y M (Feb 18)
- Re: Andr.Trojan.Femas (ViperRAT) Tyler Montier (Feb 20)