[Snort-sigs] Magic Trojan

James Lay jlay at ...3266...
Thu Apr 18 13:40:43 EDT 2013


Silly name, but eh:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"SPECIFI-THREATS Magic Trojan"; flow:established,to_client; 
file_data; content:"some_magic_code1"; depth:20; ; fast_pattern; 
reference:url,http://www.seculert.com/blog/2013/04/magic-persistent-threat.html; 
classtype:trojan-activity; sid:10000046; rev:1;)

James




More information about the Snort-sigs mailing list