Snort mailing list archives
Re: Offer a new sig for detecting JS_JITON Malware
From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Mon, 11 Apr 2016 15:51:30 -0400
Hi rmkml, Thanks for your submission. I'll review and test these rules and get back to you when they're finished. V.r., Josh Williams Research Engineer VRT On Mon, Apr 11, 2016 at 3:48 PM, rmkml <rmkml () ligfy org> wrote:
Hi, First, Thx @TrendMicro for sharing, The http://etplc.org open source project offer a new sig for detecting JS_JITON: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC JS_JITON Malware possible attempt"; flow:to_server,established; content:".tongjii."; nocase; http_header; content:".js"; nocase; http_uri; pcre:"/Host\x3a[^\r\n]*?\.tongjii\./Hi"; reference:url, blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home-routers/ ; classtype:misc-attack; sid:1; rev:1;) See reference for more information. Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- V/r, Josh Williams Research Engineer VRT
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offer a new sig for detecting JS_JITON Malware rmkml (Apr 11)
- Re: Offer a new sig for detecting JS_JITON Malware Joshua Williams (Apr 11)