Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Offer a new sig for detecting JS_JITON Malware

From: rmkml <rmkml () ligfy org>
Date: Mon, 11 Apr 2016 21:48:52 +0200 (CEST)
Hi,

First, Thx @TrendMicro for sharing,

The http://etplc.org open source project offer a new sig for detecting JS_JITON:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC JS_JITON Malware possible attempt"; 
flow:to_server,established;
content:".tongjii."; nocase; http_header; content:".js"; nocase; http_uri; pcre:"/Host\x3a[^\r\n]*?\.tongjii\./Hi";
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home-routers/;
classtype:misc-attack; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
@Rmkml

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: