Re: Pinkstats

[Joel Esler <jesler () sourcefire com>]

Thanks James.

I think it might be better just to edit the rule we have (24015) to catch both.

Also: 24792 catches this as well.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jun 26, 2013, at 3:27 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Yippee
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> W32.Trojan.PinkStats outbound connection"; flow:to_server,established; 
> content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; 
> http_header; content:"/count.asp?mac="; http_uri; content:"&ver="; 
> http_uri; metadata:impact_flag red, policy balanced-ips drop, policy 
> security-ips drop, service http; 
> reference:url,http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; 
> classtype:trojan-activity; sid:10000083; rev:1;)
>
> Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania
>
> James
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!