[Snort-sigs] TROJ_NAIKON.A sig

James Lay jlay at ...3266...
Fri Apr 26 15:35:03 EDT 2013


And another (slow day)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 
(msg:"INDICATOR-COMPROMISED TROJ_NAIKON.A User-Agent"; 
flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2f|WEB"; 
http_header; fast_pattern:only; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; 
classtype:trojan-activity; sid:10000050; rev:1;)

I'm thinking file_data isn't needed as we're just looking at headers?

James




More information about the Snort-sigs mailing list