Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Dyre trojan

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 16 Jun 2014 16:46:35 -0600
Neat...in a bad sort of way.

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Dyre 
Trojan publickey request"; flow:to_server,established; file_data; 
content:"User-Agent|3A|Wget|2f|1|2e|9"; http_header; fast_pattern:only; 
content:"|2f|publickey|2f|"; http_uri; metadata:policy balanced-ips 
drop, policy security-ips drop, service http; 
reference:url,http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; 
classtype:trojan-activity; sid:10000133; rev:1;)

James

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: