Snort mailing list archives
Re: Snort-sigs Digest, Vol 10, Issue 6
From: Briana Magana via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 13 Apr 2018 14:26:33 +0000
All all software foundations or stocks money markets or other investments sells transfers accounts and get a refund i never give them permission get do any transfers of all my email Api DNS phone number (951)581-7429 or (951)478-2004 name Briana Magana 03/01/1989 ssn618-32-7382 or other programs or money transfer or change of name or add someone On Wed, Mar 14, 2018, 11:44 AM <snort-sigs-request () lists snort org> wrote:
Send Snort-sigs mailing list submissions to snort-sigs () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists snort org You can reach the person managing the list at snort-sigs-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. HTTP interception/injection (Y M) 2. Win.Trojan.yty (Y M) ---------- Forwarded message ---------- From: Y M <snort () outlook com> To: snort-sigs <snort-sigs () lists snort org> Cc: Bcc: Date: Wed, 14 Mar 2018 18:36:28 +0000 Subject: [Snort-sigs] HTTP interception/injection Hi, The below rules are based of CitizenLab report "Bad Traffic". The pcaps are available at the GitHub resource. alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-OTHER device-specific generic injected HTTP response"; flow:to_client,established; id:13330; flags:FA; content:"307 Temporary Redirect"; content:"Location|3A 20|"; content:"Connection|3A 20|close"; content:!"Content-Type|3A 20|"; content:!"Date|3A 20|"; metadata:ruleset community, service http; reference:url, citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:trojan-activity; sid:9000040; rev:1;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-OTHER device-specific file download injected HTTP response"; flow:to_client,established; id:13330; flags:FA; content:"307 Temporary Redirect|0A|"; content:"Location|3A 20|"; content:"Connection|3A 20|close|0A|"; content:!"Content-Type|3A 20|"; content:!"Date|3A 20|"; pcre:"/Location\x3a\x20.+\.php\x3f[a-z]\x3d[a-f0-9]{64}\x0a/i"; metadata:ruleset community, service http; reference:url, citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:trojan-activity; sid:9000041; rev:1;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-OTHER device-specific AdHose injected HTTP response"; flow:to_client,established; id:13330; flags:FA; content:"307 Temporary Redirect|0D 0A|"; content:"Location|3A 20|"; content:"Connection|3A 20|close|0D 0A|"; content:!"Content-Type|3A 20|"; content:!"Date|3A 20|"; pcre:"/Location\x3a\x20.+\.html\x0d\x0a/i"; metadata:ruleset community, service http; reference:url, citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:trojan-activity; sid:9000042; rev:1;) Thanks. YM ---------- Forwarded message ---------- From: Y M <snort () outlook com> To: snort-sigs <snort-sigs () lists snort org> Cc: Bcc: Date: Wed, 14 Mar 2018 18:38:35 +0000 Subject: [Snort-sigs] Win.Trojan.yty Hi The below rules are based of the research posted at the resource link. Unfortunately, no pcaps available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"score=Name|3A|"; fast_pattern:only; http_client_body; content:">Caption|3A|"; http_client_body; content:">SerialNumber|3A|"; http_client_body; content:">VM|3A|"; http_client_body; metadata:ruleset community, service http; reference:url, www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:9000043; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty retrieve modules outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"pc="; http_client_body; content:"&whi="; http_client_body; fast_pattern:only; content:"&pc_data=<div class=|27|pcinfo|27|>"; http_client_body; metadata:ruleset community, service http; reference:url, www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:9000044; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty exfiltration outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/file_upload?"; http_uri; fast_pattern:only; content:"status="; http_uri; content:"&path="; http_uri; content:"&pc="; http_uri; content:"&type="; http_uri; content:"&fname="; http_uri; content:"&cnumber="; http_uri; content:"&orname="; http_uri; content:"&ofid="; http_uri; metadata:ruleset community, service http; reference:url, www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:9000045; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Snort-sigs Digest, Vol 10, Issue 6 Briana Magana via Snort-sigs (Apr 13)