Snort mailing list archives
Mumblehard sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 01 May 2015 10:21:49 -0600
....mumblehard..really? ANYWAY: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible Mumblehard UA"; flow:to_server,established; content:"User-Agent|3a| Mozilla|2f|5.0 |28|Windows NT 6.1|3b| rv|3a|7.0.1|29| Gecko|2f|"; fast_pattern:only; content:"Firefox|2f|7.0.1"; reference:url,www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers' classtype:bad-unknown; sid:10000159; rev:1;) if your org is REALLY running Firefox 7.0.1 (released in September 2011), then chances are this WILL false. Standard disclaimer of "fix it if it needs it" applies. Sanity checked only. James ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Mumblehard sig James Lay (May 01)