Snort mailing list archives
Re: Mac OSX Ransomware
From: Nick Randolph <drandolph () sourcefire com>
Date: Thu, 18 Jul 2013 12:32:06 -0400
I thought that the content match you had was unique enough to make the PCRE unnecessary. Here is what the rule will look like. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url, blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;) Thanks Paul On Thu, Jul 18, 2013 at 6:20 AM, Paul Bottomley <Paul.Bottomley () betfair com>wrote:
Morning!**** ** ** Probably not the best written rule given the amount of matches on the regex and I’m sure there are loads of ways to write this rule (see source on pastebin link), so if anyone wants to better this feel free J**** ** ** http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ **** http://pastebin.com/THRQ1Xp2**** ** ** alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[DELIVERY] Mac OSX Ransomware Excessive iframes"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern; pcre:"/(?:<iframe\s+src=.*){150}/";............)**** ** ** Thanks,**** Paul**** ** ** ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Mac OSX Ransomware Paul Bottomley (Jul 18)
- Re: Mac OSX Ransomware Nick Randolph (Jul 18)