[Snort-sigs] Pony checkin

James Lay jlay at ...3266...
Wed Oct 30 18:55:29 EDT 2013


Didn't see this in the current sets:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win32/Pony Checkin"; flow:to_server,established; content:"POST"; 
content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui"; 
content:"Content-Type|3a| application/octet-stream"; http_header; 
reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
classtype:trojan-activity; sid:10000109; rev:1;)

Tested for errors, but not much more (it's late :P)

James




More information about the Snort-sigs mailing list