Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Osx.Trojan.Coldroot

From: Phillip Lee <phillile () sourcefire com>
Date: Tue, 10 Apr 2018 11:36:43 -0400
Hi Yaser,
After reviewing this rule, we have decided not to add it to the community ruleset. We have existing coverage via 
sid:46156  We appreciate your contribution.

Regards,
Phil Lee
Cisco Talos


On Apr 3, 2018, at 9:37 AM, Phillip Lee <phillile () sourcefire com> wrote:

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Regards,
Phil Lee
Cisco Talos

On Apr 3, 2018, at 9:11 AM, Y M via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort 
org>> wrote:

Hi,

The below rule is for Coldroot RAT. Unfortunately, I don't have a pcap for this one.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Torjan.ColdRoot outbound connection"; 
flow:to_server,established; content:"|7B 22|Ver|22 3A|"; content:"|2C 22|RAM|22 3A|"; fast_pattern:only; 
content:"|2C 22|CAM|22 3A|"; content:"|2C 22|Serial|22 3A|"; content:"|2C 22|PCName|22 3A|"; content:"|2C 22|OS|22 
3A|"; content:"|2C 22|ID|22 3A|"; content:"|2C 22|AW|22 3A|"; content:"|2C 22|AV|22 3A|"; metadata:ruleset 
community; reference:url,objective-see.com/blog/blog_0x2A.html <http://objective-see.com/blog/blog_0x2A.html>; 
reference:url,www.virustotal.com/#/file/ad99954171ca4a949c4d82f4851d29e6d19323087df92a7d7133c13950569f29/detection 
<http://www.virustotal.com/#/file/ad99954171ca4a949c4d82f4851d29e6d19323087df92a7d7133c13950569f29/detection>; 
classtype:trojan-activity; sid:9000048; rev:1;)

Thank.
YM





_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: