Re: JackPOS sig

[James Lay <jlay () slave-tothe-box net>]

On 2014-02-14 09:39, Joel Esler (jesler) wrote:
> James,
>
> This (and one more) have been committed:
> 29816
> 29817
>
> --
>  JOEL ESLER
>  Threat Intelligence Team Lead
>  Open Source Manager
>  Vulnerability Research Team
>
> On Feb 11, 2014, at 7:21 PM, Joel Esler <jesler () cisco com [7]> wrote:
>
> > Thanks James, we’ll get this in!
> >
> > --
> > JOEL ESLER
> > Threat Intelligence Team Lead
> > Open Source Manager
> > Vulnerability Research Team
> >
> > On Feb 11, 2014, at 6:09 PM, James Lay <jlay () slave-tothe-box net
> > [6]> wrote:
> >
> > > On 2014-02-11 13:46, James Lay wrote:
> > >
> > > > alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
> > > > JackPOS
> > > > User-Agent detected"; flow:to_server,established; file_data;
> > > > content:"User-Agent|3A|something"; http_header;
> > > > fast_pattern:only;
> > > > metadata:policy balanced-ips drop, policy security-ips drop,
> > > > service
> > > > http;
>
> reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html
> > > > [1];
> > > >
> > > > classtype:trojan-activity; sid:10000125; rev:1;)
> > > >
> > > > PoS Malware..what a pain.
> > > >
> > > > James

Thanks Joel...let's hope nobody ever sees it...bad scene :(

James

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!