Snort mailing list archives
Re: Osx.Adware.Pirrit
From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 17 Feb 2017 15:45:16 -0500
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Thanks, Tyler Montier Cisco Talos On Fri, Feb 17, 2017 at 11:21 AM, Y M <snort () outlook com> wrote:
Hello, Sorry for the noise [image: 😊]. This one is also a bit old and I did not find existing signatures for it. Like the one before, the signatures were derived from the reference article. No pcaps are available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Pirrit outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/engine/getData.php?"; fast_pattern:only; content:"type=service"; http_uri; content:"&file="; http_uri; metadata:ruleset community, service http; reference:url, objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000844; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Pirrit outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cld?mid="; fast_pattern:only; content:"&ct="; http_uri; content:"User-Agent|3A 20|curl"; http_header; metadata:ruleset community, service http; reference:url,objective-see. com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000845; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Pirrit outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/update-effect?mid="; fast_pattern:only; content:"&st="; content:"User-Agent|3A 20|curl"; http_header; metadata:ruleset community, service http; reference:url, objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000846; rev:1;) Thank you. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Osx.Adware.Pirrit Y M (Feb 17)
- Re: Osx.Adware.Pirrit James Lay (Feb 17)
- Re: Osx.Adware.Pirrit Tyler Montier (Feb 17)