Snort mailing list archives
Win.Trojan.Fareit signature
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 4 Jan 2018 18:22:25 +0000
Hi, The detection for the client_body is clumsy in this one since it appears to be dynamic and changes on each request. One request had post body variables that can be sig'ed but it wouldn't trigger on other requests. Pcap is available for this one. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit/VBKrypt/Neurevt outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:"="; depth:10; http_client_body; content:"&"; distance:0; http_client_body; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e04308d695f473e74f9600/analysis/; classtype:trojan-activity; sid:9000007; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Fareit signature Y M via Snort-sigs (Jan 04)
- Re: Win.Trojan.Fareit signature Tyler Montier (Jan 08)