[Snort-sigs] [Emerging-Sigs] TROJ_NAIKON.A sig

Will Metcalf wmetcalf at ...3525...
Fri Apr 26 15:48:40 EDT 2013


This won't work on snort unless 443 is configured as an http port in your
http_inspect config, which it generally is not. No biggie though we can
drop http_header for snort....

Regards,

Will


On Fri, Apr 26, 2013 at 2:35 PM, James Lay <jlay at ...3266...> wrote:

> And another (slow day)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"INDICATOR-COMPROMISED
> TROJ_NAIKON.A User-Agent"; flow:to_server,established;
> content:"User-Agent|3A| NOKIAN95|2f|WEB"; http_header; fast_pattern:only;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:url,http://blog.**trendmicro.com/trendlabs-**
> security-intelligence/**targeted-attack-campaign-**hides-behind-ssl-**
> communication/<http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/>;
> classtype:trojan-activity; sid:10000050; rev:1;)
>
> I'm thinking file_data isn't needed as we're just looking at headers?
>
> James
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130426/7847eeb3/attachment.html>


More information about the Snort-sigs mailing list