Snort mailing list archives
Re: Pony checkin
From: Joel Esler <joel.esler () me com>
Date: Thu, 31 Oct 2013 09:00:15 -0400
On Oct 30, 2013, at 7:29 PM, James Lay <jlay () slave-tothe-box net> wrote:
On Oct 30, 2013, at 4:55 PM, James Lay <jlay () slave-tothe-box net> wrote:Didn't see this in the current sets: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Pony Checkin"; flow:to_server,established; content:"POST"; content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui"; content:"Content-Type|3a| application/octet-stream"; http_header; reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; classtype:trojan-activity; sid:10000109; rev:1;) Tested for errors, but not much more (it's late :P) JamesSloppy work…changed here: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Pony Checkin"; flow:to_server,established; content:"POST"; http_method; content:"HTTP|2f|1.0"; pcre:”/\x2f[a-f0-9]{10,12}\x2f[a-f0-9]{10,12}/Ui"; content:"Content-Type|3a| application/octet-stream"; http_header; reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; classtype:trojan-activity; sid:10000109; rev:1;)
Thanks James, we’ll have someone take a look! -- Joel Esler AEGIS Intelligence Lead OpenSource Community Manager Vulnerability Research Team, Sourcefire
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Pony checkin James Lay (Oct 30)
- Re: Pony checkin James Lay (Oct 30)
- Re: Pony checkin Joel Esler (Oct 31)
- Re: Pony checkin James Lay (Oct 30)