Snort mailing list archives
Win.Trojan.Occamy
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 11 Jun 2018 19:06:37 +0000
Hi, A pcap is available for this one too. # -------------------- # Date: 2018-06-11 # Title: Suspicious Self-signed Certificate # Tests: pcap # Reference: https://twitter.com/ClearskySec/status/1004749887966244865 # Hash: d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de # Confidence: medium alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Occamy inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"some-state"; nocase; content:"some company"; nocase; metadata:ruleset community, service ssl; reference:url,www.virustotal.com/#/file/d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de/detection; classtype:trojan-activity; sid:8000117; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Occamy Y M via Snort-sigs (Jun 11)