Snort mailing list archives
Trojan Linkup sig
From: Y M <snort () outlook com>
Date: Tue, 4 Feb 2014 18:24:11 +0000
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection attempt";
flow:to_server,established; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri;
content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; http_client_body; fast_pattern:only; metadata:
impact_flag red, policy balanced-ips drop, policy security-drop ips, ruleset community, service http;
reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/;
classtype:trojan-activity; sid: 100155; rev:1;)
Thanks
YM
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trojan Linkup sig Y M (Feb 04)
- Re: Trojan Linkup sig Carlos Pacho (Feb 04)
- Re: Trojan Linkup sig Y M (Feb 04)
- Re: Trojan Linkup sig Carlos Pacho (Feb 04)