Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-sigs Digest, Vol 10, Issue 6

From: Briana Magana via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 13 Apr 2018 14:26:33 +0000
All all software foundations or stocks money markets or other investments
sells transfers  accounts and get a refund i never give them permission get
do any transfers of all my email Api DNS phone number (951)581-7429 or
(951)478-2004 name Briana Magana 03/01/1989 ssn618-32-7382 or other
programs or money transfer or change of name or add someone

On Wed, Mar 14, 2018, 11:44 AM <snort-sigs-request () lists snort org> wrote:


Send Snort-sigs mailing list submissions to
        snort-sigs () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request () lists snort org

You can reach the person managing the list at
        snort-sigs-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."
Today's Topics:

   1. HTTP interception/injection (Y M)
   2. Win.Trojan.yty (Y M)



---------- Forwarded message ----------
From: Y M <snort () outlook com>
To: snort-sigs <snort-sigs () lists snort org>
Cc:
Bcc:
Date: Wed, 14 Mar 2018 18:36:28 +0000
Subject: [Snort-sigs] HTTP interception/injection

Hi,


The below rules are based of CitizenLab report "Bad Traffic". The pcaps
are available at the GitHub resource.


alert tcp $EXTERNAL_NET 80 -> $HOME_NET  any (msg:"MALWARE-OTHER
device-specific generic injected HTTP response";
flow:to_client,established; id:13330; flags:FA; content:"307 Temporary
Redirect"; content:"Location|3A 20|"; content:"Connection|3A 20|close";
content:!"Content-Type|3A 20|"; content:!"Date|3A 20|"; metadata:ruleset
community, service http; reference:url,
citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria;
reference:url,github.com/citizenlab/badtraffic;
classtype:trojan-activity; sid:9000040; rev:1;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-OTHER
device-specific file download injected HTTP response";
flow:to_client,established; id:13330; flags:FA; content:"307 Temporary
Redirect|0A|"; content:"Location|3A 20|"; content:"Connection|3A
20|close|0A|"; content:!"Content-Type|3A 20|"; content:!"Date|3A 20|";
pcre:"/Location\x3a\x20.+\.php\x3f[a-z]\x3d[a-f0-9]{64}\x0a/i";
metadata:ruleset community, service http; reference:url,
citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria;
reference:url,github.com/citizenlab/badtraffic;
classtype:trojan-activity; sid:9000041; rev:1;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-OTHER
device-specific AdHose injected HTTP response"; flow:to_client,established;
id:13330; flags:FA; content:"307 Temporary Redirect|0D 0A|";
content:"Location|3A 20|"; content:"Connection|3A 20|close|0D 0A|";
content:!"Content-Type|3A 20|"; content:!"Date|3A 20|";
pcre:"/Location\x3a\x20.+\.html\x0d\x0a/i"; metadata:ruleset community,
service http; reference:url,
citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria;
reference:url,github.com/citizenlab/badtraffic;
classtype:trojan-activity; sid:9000042; rev:1;)

Thanks.
YM




---------- Forwarded message ----------
From: Y M <snort () outlook com>
To: snort-sigs <snort-sigs () lists snort org>
Cc:
Bcc:
Date: Wed, 14 Mar 2018 18:38:35 +0000
Subject: [Snort-sigs] Win.Trojan.yty

Hi


The below rules are based of the research posted at the resource link.
Unfortunately, no pcaps available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty initial outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"score=Name|3A|"; fast_pattern:only;
http_client_body; content:">Caption|3A|"; http_client_body;
content:">SerialNumber|3A|"; http_client_body; content:">VM|3A|";
http_client_body; metadata:ruleset community, service http; reference:url,
www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/;
classtype:trojan-activity; sid:9000043; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty retrieve modules outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"pc=";
http_client_body; content:"&whi="; http_client_body; fast_pattern:only;
content:"&pc_data=<div class=|27|pcinfo|27|>"; http_client_body;
metadata:ruleset community, service http; reference:url,
www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/;
classtype:trojan-activity; sid:9000044; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty exfiltration outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/file_upload?"; http_uri; fast_pattern:only; content:"status=";
http_uri; content:"&path="; http_uri; content:"&pc="; http_uri;
content:"&type="; http_uri; content:"&fname="; http_uri;
content:"&cnumber="; http_uri; content:"&orname="; http_uri;
content:"&ofid="; http_uri; metadata:ruleset community, service http;
reference:url,
www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/;
classtype:trojan-activity; sid:9000045; rev:1;)


Thanks.

YM


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
http://www.snort.org

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Please visit http://blog.snort.org for the latest news about Snort!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: