Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win.Trojan.Dunihi

From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 9 May 2018 03:13:22 +0000
What are you trying to do?  Download the rule?  You have to be a paid subscriber, download the ruleset, and then you 
can get the rule from inside the tarball, along with all of our other up to date rules.

Sent from my iPad

On May 8, 2018, at 11:11 PM, Ernest Johnson <ernest.johnson2 () gmail com<mailto:ernest.johnson2 () gmail com>> wrote:

Do i just log in and do a search for it?

On Tue, May 8, 2018, 8:29 PM Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
We do have a rule for GandCrab malware.  It's sid 45694.  Available in our subscriber ruleset at 
https://www.snort.org/downloads#rules

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com




On May 8, 2018, at 10:23 AM, Ernest Johnson via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:

Phill

do you have a signature for Gand Crab Ransomware

to alert or block it ?

On Mon, May 7, 2018 at 12:06 PM, Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort 
org>> wrote:
[Boxbe]<https://www.boxbe.com/overview> 
[http://www.boxbe.com/stfopen?tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001]
  This message is eligible for Automatic Cleanup! (snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>) 
Add cleanup 
rule<https://www.boxbe.com/popup?url=https%3A%2F%2Fwww.boxbe.com%2Fcleanup%3Fkey%3DIk6H7YmJlqLVFBg5q%252FXyPeMCjrDP%252BTGxm6dIFxTyM4I%253D%26token%3DaDn4g3lOf29q0IDXR%252F24FVz6eC12yhKWSZBWSDTcvHDTnWhCGMPt%252BVMWzbVL633ogkDfWBhr2Im415Cp0zmDS%252FdEX65I0bD9gOYkvSvXo0PDoRacZfL2WX%252BQQrL5aEuiTJoAi136s5uciXhxfHNS9Q%253D%253D&tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001>
 | More 
info<http://blog.boxbe.com/general/boxbe-automatic-cleanup?tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001>

Hi,

Pcap is available for this as retrieved from the reference.

# --------------------
# Date: 2018-05-07
# Title: JacksBot, Dunihi
# Tests: pcap
# Reference: https://twitter.com/James_inthe_box/status/993508601862832130, 
https://app.any.run/tasks/7533e2da-24b1-424c-8624-dbb764852020

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"/is-ready"; fast_pattern:only; http_uri; content:"|3C 
7C 3E|"; http_header; metadata:ruleset community, service http; 
reference:url,twitter.com/James_inthe_box/status/993508601862832130<http://twitter.com/James_inthe_box/status/993508601862832130>;
 
reference:url,www.virustotal.com/#/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/detection<http://www.virustotal.com/#/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/detection>;
 classtype:trojan-activity; sid:8000048; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch 
the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




--
Ernest Johnson
504 621 2520
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch 
the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: