Snort mailing list archives
Re: Travnet and PCRat sigs
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 14 May 2013 15:14:52 -0600
On 2013-05-14 14:51, rmkml wrote:
Hi James, Thx for sharing, no http_uri on first sig ? Regards Rmkml
Heh...Rm always catches me! Yea...I should make it like yonder: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Travnet Botnet data upload"; flow:to_server,established; content:"GET"; http_method; http_uri; content:"hostid="; http_uri; content:"|26|hostname="; within:16; http_uri; content:"|26|hostip="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blogs.mcafee.com/mcafee-labs/travnet-botnet-controls-victims-with-remote-admin-tool; classtype:trojan-activity; sid:10000057; rev:2) Thanks Rm...your sharp eye helps a lot. James ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Travnet and PCRat sigs James Lay (May 14)
- Message not available
- Re: Travnet and PCRat sigs James Lay (May 14)
- Message not available
- Re: Travnet and PCRat sigs Joel Esler (May 16)
- Re: Travnet and PCRat sigs James Lay (May 16)
- Re: Travnet and PCRat sigs Joel Esler (May 16)
- Re: Travnet and PCRat sigs James Lay (May 16)