Snort mailing list archives
Signature for post infection c2 server contact
From: el cabezon <elcabezzonn () gmail com>
Date: Fri, 9 Sep 2016 15:32:44 -0400
This is a sig for a very particular UA i've seen contact several c2 servers with the cctld .ru. Once it contacts the c2 additional payloads are dropped on the infected host. Any recommendations or critiques on how to improve the rule are welcome. Thank you. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Post Infection C2 server contact"; flow:to_server,established; content:"POST"; http_method; content:!"|0A|Referer|3A|"; http_header; content:"User-Agent|3A| Christmas Mystery "; http_header; nocase; sid:1000000004; rev:2;)
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Signature for post infection c2 server contact el cabezon (Sep 09)