Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rovnix UA sig

From: Y M <snort () outlook com>
Date: Mon, 5 Aug 2013 19:10:50 +0000
Thanks Joel and James.


Date: Mon, 5 Aug 2013 15:00:21 -0400
From: jesler () sourcefire com
To: jlay () slave-tothe-box net
CC: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Rovnix UA sig

I cleaned up and committed Yaser's version since it came in first.

Thanks all.


On Mon, Aug 05, 2013 at 12:51:55PM -0600, James Lay wrote:

Ya YM and I played dueling Send buttons I guess :)  Thanks Joel!

James

On 2013-08-05 12:14, Joel Esler wrote:

Thanks James.  YM just submitted something very similar.

On Mon, Aug 5, 2013 at 1:43 PM, James Lay <jlay () slave-tothe-box net
[7]> wrote:


Im sure theres other things to match as well:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-CNC
Rovnix UA detected"; content:"User-Agent|3a| FWVersionTestAgent";
fast_pattern:only; http_header; metadata:policy balanced-ips drop,
policy security-ips drop, service http;


reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap

[1];
classtype:trojan-activity; sid:10000088; rev:1;)

James




------------------------------------------------------------------------------

Get your SQL database under version control now!
Version control is standard for application code, but databases
havent
caught up. So what steps can you take to put your SQL databases
under
version control? Why should you start doing it? Read more to find
out.



http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk

[2]
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net [3]
https://lists.sourceforge.net/lists/listinfo/snort-sigs [4]
http://www.snort.org [5]

Please visit http://blog.snort.org [6] for the latest news about
Snort!


--

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


Links:
------
[1] http://blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap
[2]

http://pubads.g.doubleclick.net/gampad/clk?id=49501711&amp;iu=/4140/ostg.clktrk
[3] mailto:Snort-sigs () lists sourceforge net
[4] https://lists.sourceforge.net/lists/listinfo/snort-sigs
[5] http://www.snort.org
[6] http://blog.snort.org
[7] mailto:jlay () slave-tothe-box net



------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

                                          
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: