Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Signature for post infection c2 server contact

From: el cabezon <elcabezzonn () gmail com>
Date: Fri, 9 Sep 2016 15:32:44 -0400
This is a sig for a very particular UA i've seen contact several c2 servers
with the cctld .ru. Once it contacts the c2 additional payloads are dropped
on the infected host. Any recommendations or critiques on how to improve
the rule are welcome. Thank you.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Post Infection
C2 server contact"; flow:to_server,established; content:"POST";
http_method; content:!"|0A|Referer|3A|"; http_header;
content:"User-Agent|3A| Christmas Mystery "; http_header; nocase;
 sid:1000000004; rev:2;)

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: