Snort mailing list archives
Re: BLYPT sigs
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 21 Sep 2013 21:57:47 -0400
Thanks James. -- Joel Esler Sent from my iPad
On Sep 20, 2013, at 5:47 PM, James Lay <jlay () slave-tothe-box net> wrote: Fun Friday alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer startupkey outbound traffic"; flow:to_server, established; content:"index.aspx?info=startupkey_"; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:10000092; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer reuse outbound traffic"; flow:to_server, established; content:"index.aspx?info=reuse"; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:10000093; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer configkey outbound traffic"; flow:to_server, established; content:"index.aspx?info=configkey"; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:10000094; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer tserror outbound traffic"; flow:to_server, established; content:"index.aspx?info=tserror_"; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:10000095; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer createproc outbound traffic"; flow:to_server, established; content:"index.aspx?info=createproc_"; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:10000096; rev:1;) James ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- BLYPT sigs James Lay (Sep 20)
- Re: BLYPT sigs Joel Esler (Sep 21)