Snort mailing list archives
Re: Dyre trojan
From: Carlos Pacho <cpacho () sourcefire com>
Date: Tue, 17 Jun 2014 12:04:52 -0400
Hi James, We'll get this rule added to the community ruleset. Thanks! Carlos Pacho Research Engineer, VRT Sourcefire, now part of Cisco cpacho () sourcefire com Sourcefire.com <http://www.sourcefire.com/> On Mon, Jun 16, 2014 at 6:46 PM, James Lay <jlay () slave-tothe-box net> wrote:
Neat...in a bad sort of way. alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Dyre Trojan publickey request"; flow:to_server,established; file_data; content:"User-Agent|3A|Wget|2f|1|2e|9"; http_header; fast_pattern:only; content:"|2f|publickey|2f|"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url, http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl ; classtype:trojan-activity; sid:10000133; rev:1;) James ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dyre trojan James Lay (Jun 16)
- Re: Dyre trojan Carlos Pacho (Jun 17)