[Snort-sigs] Pony checkin

James Lay jlay at ...3266...
Wed Oct 30 19:29:38 EDT 2013


On Oct 30, 2013, at 4:55 PM, James Lay <jlay at ...3266...> wrote:

> Didn't see this in the current sets:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Win32/Pony Checkin"; flow:to_server,established; content:"POST"; 
> content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui"; 
> content:"Content-Type|3a| application/octet-stream"; http_header; 
> reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
> classtype:trojan-activity; sid:10000109; rev:1;)
> 
> Tested for errors, but not much more (it's late :P)
> 
> James
> 

Sloppy work…changed here:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Pony Checkin"; flow:to_server,established; content:"POST"; http_method; content:"HTTP|2f|1.0"; pcre:”/\x2f[a-f0-9]{10,12}\x2f[a-f0-9]{10,12}/Ui"; content:"Content-Type|3a| application/octet-stream"; http_header; reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; classtype:trojan-activity; sid:10000109; rev:1;)

Thanks to rmkml…sharp!

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131030/37103ae6/attachment.sig>


More information about the Snort-sigs mailing list