Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win.Torjan.NeutrinoPOS variant

From: Ernest Johnson via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 8 May 2018 13:56:16 -0500
can you take a look at these rules and tell me what you think please

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible  POST
GandCrab Ransomware infection"; flow:to_server,established; content:"POST";
nocase; http_method; content:" 78.155.206.6/curl.php?: "; classtype:
ransomware-attack; sid:1000000013; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
GandCrab Ransomware Attack"; flow:to_server,established; content:"GET";
nocase; http_method; content:" ipv4bot.whatismyipaddress.com/”; classtype:
ransomware-attack; sid:1000000012; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" Possible
GandCrab Ransomware Attack "; flow:to_server,established; content:
[66.171.248.178, 101.226.79.205, 112.90.141.215,78.155.206.6]"; classtype:
ransomware-attack; sid:1000000014; rev:1;)




On Tue, Apr 3, 2018 at 8:39 AM, Phillip Lee <phillile () sourcefire com> wrote:


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Can you send along the pcap that you have?

Regards,
Phil Lee
Cisco Talos

On Apr 3, 2018, at 9:13 AM, Y M via Snort-sigs <snort-sigs () lists snort org>
wrote:

Hi,

A pcap for this one is available.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker NeutrinoPOS variant outbound connection";
flow:to_server,established; content:"GET"; http_method;
content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&99=";
http_uri; content:"&f1="; http_uri; content:"Accept-Charset|3A 20|";
http_header; metadata:ruleset community, service http; reference:url,
www.virustotal.com/#/file/123275cc76ef377986715c98abb0fe
c50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity;
sid:9000049; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker NeutrinoPOS variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&req=";
http_uri; content:!"Connection"; http_header; content:"1="; within:3;
http_client_body; metadata:ruleset community, service http; reference:url,
www.virustotal.com/#/file/123275cc76ef377986715c98abb0fe
c50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity;
sid:9000050; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-
etiquette

Visit the Snort.org <http://snort.org/> to subscribe to the official
Snort ruleset, make sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!





-- 
Ernest Johnson
504 621 2520

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: