Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Dridex sig

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 17 Jun 2015 08:49:36 -0600
Meh...keep seeing this base64 encoded WScript, so here's a sig:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER 
Dridex WScript Download"; flow:established,to_server; 
content:"|2f|89172387|2e|txt"; http_uri; fast_pattern:only; 
reference:url,malwr.com/analysis/MGRmZmFmNjk1MTNlNDNhN2IwYzEyODFlNWY0ZDAxYmM; 
classtype:trojan-activity; sid:10000161; rev:1;)

If you see this hit, someone on your network has just opened a Dridex 
word doc in an email.  Sanity checked only.

James

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: