[Snort-sigs] Unknown Botnet sig

Joel Esler jesler at ...435...
Thu Jul 11 18:47:21 EDT 2013


This is the dotcache exploit kit. We have several sigs that catch this already. 


--
Joel Esler
Sent from my iPad

On Jul 11, 2013, at 6:14 PM, James Lay <jlay at ...3266...> wrote:

> Would be nice to put a name to this if anyone has any other info on it:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Win.Trojan.Kuluoz variant outbound connection"; 
> flow:to_server,established; content:"f=sm_main.mp3"; fast_pattern:only; 
> http_uri; pcre:"/[a-f0-9]{10}/\x3ff=sm_main.mp3\x26k=[0-9]{15}/U"; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> http; 
> reference:url,http://research.zscaler.com/2013/07/tracking-botnet-infection.html; 
> classtype:trojan-activity; sid:10000087; rev:1;)
> 
> James
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list