Snort mailing list archives
Re: Multiple signatures 029
From: Matthew Mickel <mmickel () sourcefire com>
Date: Wed, 5 Jun 2019 13:37:02 -0400
Hi, Yaser- Thanks for your submissions. We’ll process them and get back to you when we have finished. Any PCAPs or Yara/ClamAV signatures you can share are greatly appreciated. Best, Matt Mickel
On Jun 3, 2019, at 2:17 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: # -------------------- # Title: HiddenWasp Malware Stings Targeted Linux Systems # Reference: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ <https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/> # Tests: syntax only; # Yara: # - MALWARE_Linux_Trojan_HiddenWasp # - INDICATOR_Linux_File_References_Clearing_History # ClamAV: # - MALWARE_Linux.Trojan.HiddenWasp-1 # - MALWARE_Linux.Trojan.HiddenWasp-2 # - INDICATOR_Linux_File_References_Clearing_History-1 # - INDICATOR_Linux_File_References_Clearing_History-2 # Hashes: # - de823a4e958168ff8800b9d10b0dbfc911a57dda0f76a120b4e1cc71cada8ae7 (bash script) # Note: # - No access to ELF samples on VTI. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp outbound connection attempt"; flow:to_server,established; content:"/test?data="; fast_pettern:only; http_uri; content:"User-Agent: curl/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000672; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp outbound connection attempt"; flow:to_server,established; content:"|75 63 65 73 00 01|"; depth:6; fast_pettern; metadata:ruleset community; classtype:trojan-activity; sid:8000673; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Trojan.HiddenWasp inbound connection attempt"; flow:to_client,established; content:"|75 63 65 73 00 01|"; depth:6; fast_pettern; metadata:ruleset community; classtype:trojan-activity; sid:8000674; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Multiple signatures 029 Y M via Snort-sigs (Jun 04)
- Re: Multiple signatures 029 Matthew Mickel (Jun 05)