Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Detection for "niki-bot" and "Awesome Screenshot URL" spyware

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Thu, 14 Aug 2014 11:52:54 -0400
Source: https://mig5.net/content/awesome-screenshot-and-niki-bot

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT niki-bot"; flow:to_server,established;
content:"User-Agent|3A| niki-bot"; fast_pattern:only; http_header;
metadata:policy security-ips drop, service http;
classtype:attempted-recon;
reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI POST request to /service2"; flow:to_server,established;
content:"POST"; http_method; content:"/service2"; fast_pattern:only;
http_uri; metadata:policy security-ips drop, service http;
classtype:successful-recon-limited;
reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
sid:1000001; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain s1821.crdui.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|s1821|05|crdui|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
classtype:attempted-recon; sid:1000002; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain webovernet.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|webovernet|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
classtype:attempted-recon; sid:1000003; rev:1;)

-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: