Snort mailing list archives
Reflow JS Backdoor sigs
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 27 Apr 2018 14:08:32 +0000
Hi, Unfortunately, there are not pcaps or hashes available for this one. The rules are based on the screenshots and analysis provided by the reference. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Reflow JS backdoor outbound connection"; flow:to_server,established; content:"/?reflow"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.kahusecurity.com/?p=13700; classtype:trojan-activity; sid:8000006; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Reflow JS backdoor outbound connection"; flow:to_server,established; content:"Accept|3A 20|text/html, application/xhtml+xml, */*"; fast_pattern:only; http_header; content:"User-Agent|3A 20|Mozilla/5.0 (compatible|3B| MSIE9.0|3B| Windows NT 6.1|3B| Trident/5.0)"; http_header; content:"Cookie|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,www.kahusecurity.com/?p=13700; classtype:trojan-activity; sid:8000007; rev:1;) Thanks YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Reflow JS Backdoor sigs Y M via Snort-sigs (Apr 27)