Re: Quick Android/Fakelash.A!tr.spy sig

[Joel Esler <jesler () sourcefire com>]

Thanks James. I'll see if we have pcaps. 

--
Joel Esler

On Sep 21, 2012, at 5:14 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Maybe add the /data.php?action=add?  Not sure...sanity checked, but not 
> much more as I don't have pcaps.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Android/Fakelash.A!tr.spy trojan command and control channel traffic"; 
> flow:to_server,established; content:"=hithere"; content:"=1234"; 
> fast_pattern:only; http_uri; metadata:policy security-ips drop, service 
> http; 
> reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; 
> classtype:trojan-activity; sid:10000028; rev:1;)
>
> As always, comments and improvements welcome.  Thanks all!
>
> James
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!