[Snort-sigs] Nettraveler sig

Joel Esler jesler at ...435...
Tue Jun 4 19:10:10 EDT 2013


I have the sample running in my sandbox now, I'll write this up when I get done.


On Jun 4, 2013, at 6:39 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-06-04 15:52, James Lay wrote:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"MALWARE-CNC
>> Nettraveler C2 Control Loop"; flow:to_server,established;
>> content:"nettraveler.asp|3f|action="; http_uri; ; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> 
>> reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf;
>> 
>> classtype:trojan-activity; sid:10000073; rev:1;)
>> 
>> Nice writeup in that PDF.
>> 
>> James
>> 
>> 
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> And fixed (extraneous ; )
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Nettraveler C2 Control Loop"; flow:to_server,established; 
> content:"nettraveler.asp|3f|action="; http_uri; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; 
> classtype:trojan-activity; sid:10000073; rev:2;)
> 
> James
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list