Snort mailing list archives
Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 6 May 2013 12:53:16 -0400
Thanks Nathan I'll run these through. On May 3, 2013, at 8:54 PM, lists () packetmail net wrote:
On 05/03/2013 05:57 PM, James Lay wrote:https://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware/ YAY JamesHere's my go at it, I'm using Emerging-Threats[1] style/nomenclature not because it's what's "right" but simply because it's what I'm acclimated to. Please no flamewar for cross-posting. Gratuitous hex to avoid line-wrap. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from compromised or malicious WordPress site"; flow:established,from_server; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; sid:x; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS/VRT_COMMUNITY Sirefef Fake Opera 10 User-Agent"; flow:established,to_server; content:"Opera/10|20|"; http_header; fast_pattern:only; content:!"Accept"; http_header; classtype:trojan-activity; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; sid:x; rev:1;) Been a long day, flame me accordingly if this ends up being garbage sigs. Best wishes to all, thanks James for your keen eye (as always). [1] http://www.emergingthreats.net/open-source/open-source-overview/ Cheers, Nathan ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Late in the day...bet this could be sig'd James Lay (May 03)
- Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) lists () packetmail net (May 03)
- Re: Proposed Sirefef (was Re: Late in the day...bet thiscould be sig'd) Lay, James (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) waldo kitty (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) waldo kitty (May 06)
- Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) lists () packetmail net (May 03)