Snort mailing list archives
Re: Bisonha C&C activity
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 4 Sep 2013 11:36:31 -0400
Thanks Paul! On Sep 4, 2013, at 11:01 AM, Paul Bottomley <Paul.Bottomley () betfair com> wrote:
Afternoon, 3001 is the only static match I can find… there may be something better to use? I’ve included {262,304} given there are 42 zeros at offset 0x83 and not sure if they are always used? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bisonha C&C activity"; flow:to_server,established; content:"3001"; fast_pattern; http_uri; pcre:"/3001[0-9A-F]{262,304}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://bl0g.cedricpernet.net/; classtype:trojan-activity; sid:xxxxx; rev:1;) ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bisonha C&C activity Paul Bottomley (Sep 04)
- Re: Bisonha C&C activity Joel Esler (Sep 04)