Snort mailing list archives
KrakenHTTP botnet sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 17 Apr 2015 09:03:39 -0600
This might be old news, but didn't see any sigs so here's one for it: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC KrakenHTTP C&C Traffic Detected"; flow:established,to_server; uricontent:"idcontact.php|3F|"; uricontent:"=|26|steam="; uricontent:"|26|origin="; uricontent:"|26|webnavig="; uricontent:"|26|java="; reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; classtype:bad-unknown; sid:10000157; rev:1;) Sanity tested only James ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- KrakenHTTP botnet sig James Lay (Apr 17)
- Re: KrakenHTTP botnet sig Matt Mickel (May 04)