Win.Trojan.Fareit signature

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hi,


The detection for the client_body is clumsy in this one since it appears to be dynamic and changes on each request. One 
request had post body variables that can be sig'ed but it wouldn't trigger on other requests. Pcap is available for 
this one.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit/VBKrypt/Neurevt outbound 
connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; fast_pattern:only; http_uri; 
content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; http_header; content:"Cache-Control|3A 
20|no-cache|0D 0A|"; http_header; content:"="; depth:10; http_client_body; content:"&"; distance:0; http_client_body; 
content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset 
community, service http; 
reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e04308d695f473e74f9600/analysis/; 
classtype:trojan-activity; sid:9000007; rev:1;)


Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!