Snort mailing list archives
Re: JackPOS sig
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 11 Feb 2014 16:13:02 -0700
On 2014-02-11 15:42, James Espinosa wrote:
Thanks, James. Although, in the POST request referenced in the SpiderLabs blog, the user agent string has a space (ie. User-Agent: something). I also had issues producing an alert while testing. I removed the FILE_DATA keyword from the rule and it fired correctly (the user agent string is seen in requests going from internal to external (exfil), but not in the return traffic). Please correct me if Im wrong, but perhaps this might work? alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS User-Agent detected"; flow:to_server,established; content:"User-Agent|3A| something"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html [7]; classtype:trojan-activity; sid:10000125; rev:1;) On Tue, Feb 11, 2014 at 2:46 PM, James Lay <jlay () slave-tothe-box net [8]> wrote:alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS User-Agent detected"; flow:to_server,established; file_data; content:"User-Agent|3A|something"; http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http;reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html[1]; classtype:trojan-activity; sid:10000125; rev:1;) PoS Malware..what a pain. James
Ah thank you....ya my sig-fu is weak these days :( James ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- JackPOS sig James Lay (Feb 11)
- Re: JackPOS sig James Espinosa (Feb 11)
- Re: JackPOS sig James Lay (Feb 11)
- Re: JackPOS sig James Lay (Feb 11)
- Re: JackPOS sig Joel Esler (jesler) (Feb 11)
- Re: JackPOS sig Joel Esler (jesler) (Feb 14)
- Re: JackPOS sig James Lay (Feb 14)
- Re: JackPOS sig Joel Esler (jesler) (Feb 11)
- Re: JackPOS sig James Espinosa (Feb 11)