[Snort-sigs] Blackrev C2 sigs

Joel Esler jesler at ...435...
Tue Jun 4 11:34:35 EDT 2013


James,

There were actually 25 total rules written for this, we gave credit to you for all of them and released them in the community ruleset as of last night.

Thanks!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 21, 2013, at 5:17 PM, Patrick Mullen <pmullen at ...435...> wrote:

> Thanks, James!  They should be in tonight's community build as sids 26713-26715.
> 
> 
> ~Patrick
> 
> On Tue, May 21, 2013 at 4:25 PM, James Lay <jlay at ...3266...> wrote:
>> Enjoy:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
>> Win.Trojan.BlackRev Rev 1 C2 Traffic"; content:"GET"; http_method;
>> content:"gate.php|3f|reg="; http_uri;
>> pcre:"/gate\x2ephp\x3freg=[a-z]{10}/m"; content:"User-Agent|3a|
>> Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header;
>> metadata:policy balanced-ips drop, policy security-ips drop, ruleset
>> community service http;
>> reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi;
>> classtype:trojan-activity; sid:10000066; rev:1;)
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
>> Win.Trojan.BlackRev Rev 2 C2 Traffic"; content:"GET"; http_method;
>> content:"gate.php|3f|reg="; http_uri;
>> pcre:"/gate\x2ephp\x3freg=[a-z]{15}/mi"; content:"User-Agent|3a|
>> Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header;
>> metadata:policy balanced-ips drop, policy security-ips drop, ruleset
>> community service http;
>> reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi;
>> classtype:trojan-activity; sid:10000067; rev:1;)
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
>> Win.Trojan.BlackRev Rev 3 C2 Traffic"; content:"GET"; http_method;
>> content:"gate.php|3f|id="; http_uri;
>> pcre:"/gate\x2ephp\x3fid=[a-z]{15}/mi"; content:"User-Agent|3a|
>> Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header;
>> metadata:policy balanced-ips drop, policy security-ips drop, ruleset
>> community service http;
>> reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi;
>> classtype:trojan-activity; sid:10000068; rev:1;)
>> 
>> Lot's of good info on that reference link.
>> 
>> James
>> 
>> ------------------------------------------------------------------------------
>> Try New Relic Now & We'll Send You this Cool Shirt
>> New Relic is the only SaaS-based application performance monitoring service
>> that delivers powerful full stack analytics. Optimize and monitor your
>> browser, app, & servers with just a few lines of code. Try New Relic
>> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> 
> -- 
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130604/bde67657/attachment.html>


More information about the Snort-sigs mailing list