[Snort-sigs] Magic Trojan

James Lay jlay at ...3266...
Thu Apr 18 14:46:27 EDT 2013


On 2013-04-18 12:03, Joel Esler wrote:
> On Apr 18, 2013, at 1:40 PM, James Lay <jlay at ...3266... [2]>
> wrote:
>
>> Silly name, but eh:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"SPECIFI-THREATS Magic Trojan"; flow:established,to_client;
>> file_data; content:"some_magic_code1"; depth:20; ; fast_pattern;
>>
> 
> reference:url,http://www.seculert.com/blog/2013/04/magic-persistent-threat.html
>> [1];
>> classtype:trojan-activity; sid:10000046; rev:1;)
>
> I cleaned the rule up and it will ship as SID: 26467.
>
> Thanks James!
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Thanks Joel...as I look at it (SPECIFI???  REALLY???) my rules always 
need cleaned ;)

James




More information about the Snort-sigs mailing list