Snort mailing list archives

Previous By Date Next
Previous By Thread Next

KrakenHTTP botnet sig

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 17 Apr 2015 09:03:39 -0600
This might be old news, but didn't see any sigs so here's one for it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
KrakenHTTP C&C Traffic Detected"; flow:established,to_server; 
uricontent:"idcontact.php|3F|"; uricontent:"=|26|steam="; 
uricontent:"|26|origin="; uricontent:"|26|webnavig="; 
uricontent:"|26|java="; 
reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; 
classtype:bad-unknown; sid:10000157; rev:1;)

Sanity tested only

James

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: