[Snort-sigs] [Emerging-Sigs] Blackrev C2 sigs

Will Metcalf wmetcalf at ...3525...
Tue May 21 16:26:18 EDT 2013


yep. got these and more going in today :)


On Tue, May 21, 2013 at 3:25 PM, James Lay <jlay at ...3266...> wrote:

> Enjoy:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.BlackRev Rev 1 C2 Traffic"; content:"GET"; http_method;
> content:"gate.php|3f|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-**z]{10}/m";
> content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|";
> http_header; metadata:policy balanced-ips drop, policy security-ips drop,
> ruleset community service http; reference:url,http://ddos.**
> arbornetworks.com/2013/05/the-**revolution-will-be-written-in-**delphi<http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi>;
> classtype:trojan-activity; sid:10000066; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.BlackRev Rev 2 C2 Traffic"; content:"GET"; http_method;
> content:"gate.php|3f|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-**z]{15}/mi";
> content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|";
> http_header; metadata:policy balanced-ips drop, policy security-ips drop,
> ruleset community service http; reference:url,http://ddos.**
> arbornetworks.com/2013/05/the-**revolution-will-be-written-in-**delphi<http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi>;
> classtype:trojan-activity; sid:10000067; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.BlackRev Rev 3 C2 Traffic"; content:"GET"; http_method;
> content:"gate.php|3f|id="; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]**{15}/mi";
> content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|";
> http_header; metadata:policy balanced-ips drop, policy security-ips drop,
> ruleset community service http; reference:url,http://ddos.**
> arbornetworks.com/2013/05/the-**revolution-will-be-written-in-**delphi<http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi>;
> classtype:trojan-activity; sid:10000068; rev:1;)
>
> Lot's of good info on that reference link.
>
> James
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130521/38b35752/attachment.html>


More information about the Snort-sigs mailing list