Re: Osx.Adware.Pirrit

[Tyler Montier <tmontier () sourcefire com>]

Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Thanks,

Tyler Montier
Cisco Talos

On Fri, Feb 17, 2017 at 11:21 AM, Y M <snort () outlook com> wrote:

> Hello,
>
>
> Sorry for the noise [image: 😊]. This one is also a bit old and I did not
> find existing signatures for it. Like the one before, the
> signatures were derived from the reference article. No pcaps are available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/engine/getData.php?";
> fast_pattern:only; content:"type=service"; http_uri; content:"&file=";
> http_uri; metadata:ruleset community, service http; reference:url,
> objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity;
> sid:1000844; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/cld?mid="; fast_pattern:only;
> content:"&ct="; http_uri; content:"User-Agent|3A 20|curl"; http_header;
> metadata:ruleset community, service http; reference:url,objective-see.
> com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000845; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/update-effect?mid=";
> fast_pattern:only; content:"&st="; content:"User-Agent|3A 20|curl";
> http_header; metadata:ruleset community, service http; reference:url,
> objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity;
> sid:1000846; rev:1;)
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!