Snort mailing list archives
Re: Win.Torjan.NeutrinoPOS variant
From: Ernest Johnson via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 8 May 2018 13:56:16 -0500
can you take a look at these rules and tell me what you think please alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible POST GandCrab Ransomware infection"; flow:to_server,established; content:"POST"; nocase; http_method; content:" 78.155.206.6/curl.php?: "; classtype: ransomware-attack; sid:1000000013; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible GandCrab Ransomware Attack"; flow:to_server,established; content:"GET"; nocase; http_method; content:" ipv4bot.whatismyipaddress.com/”; classtype: ransomware-attack; sid:1000000012; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" Possible GandCrab Ransomware Attack "; flow:to_server,established; content: [66.171.248.178, 101.226.79.205, 112.90.141.215,78.155.206.6]"; classtype: ransomware-attack; sid:1000000014; rev:1;) On Tue, Apr 3, 2018 at 8:39 AM, Phillip Lee <phillile () sourcefire com> wrote:
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcap that you have? Regards, Phil Lee Cisco Talos On Apr 3, 2018, at 9:13 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, A pcap for this one is available. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker NeutrinoPOS variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&99="; http_uri; content:"&f1="; http_uri; content:"Accept-Charset|3A 20|"; http_header; metadata:ruleset community, service http; reference:url, www.virustotal.com/#/file/123275cc76ef377986715c98abb0fe c50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity; sid:9000049; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker NeutrinoPOS variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&req="; http_uri; content:!"Connection"; http_header; content:"1="; within:3; http_client_body; metadata:ruleset community, service http; reference:url, www.virustotal.com/#/file/123275cc76ef377986715c98abb0fe c50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity; sid:9000050; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list- etiquette Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- Ernest Johnson 504 621 2520
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Torjan.NeutrinoPOS variant Y M via Snort-sigs (Apr 03)
- Re: Win.Torjan.NeutrinoPOS variant Phillip Lee (Apr 03)
- Re: Win.Torjan.NeutrinoPOS variant Ernest Johnson via Snort-sigs (May 08)
- Re: Win.Torjan.NeutrinoPOS variant Phillip Lee (Apr 03)