Re: ....Fort Disco anyone?

[James Lay <jlay () slave-tothe-box net>]

On 2013-08-08 14:00, Joel Esler wrote:
> On Aug 8, 2013, at 3:58 PM, James Lay <jlay () slave-tothe-box net [2]>
> wrote:
>
> > On 2013-08-08 13:52, Joel Esler wrote:
> >
> > > Thanks James, I ran the samples and got a slightly better content
> > > match:
> > >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > > (msg:"MALWARE-CNC Fort Disco Registration outbound connection";
> > > flow:to_server,established; content:"/cmd.php"; http_uri;
> > > content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)";
> > > fast_pattern:only; http_header; metadata:policy balanced-ips drop,
> > > policy security-ips drop, ruleset community, service http;
> > > reference:url,www.net-security.org/secworld.php?id=15370 [1];
> > > classtype:trojan-activity; sid:27599; rev:1;)
> >
> > Thanks Joel...I'll try and remember to include the UA on this type
> > of thing.
>
> Well, only if it’s static between samples.
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Indeed :)

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!