[Snort-sigs] Pony checkin

Joel Esler joel.esler at ...3366...
Thu Oct 31 09:00:15 EDT 2013


On Oct 30, 2013, at 7:29 PM, James Lay <jlay at ...3266...> wrote:

> On Oct 30, 2013, at 4:55 PM, James Lay <jlay at ...3266...> wrote:
> 
>> Didn't see this in the current sets:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
>> Win32/Pony Checkin"; flow:to_server,established; content:"POST"; 
>> content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui"; 
>> content:"Content-Type|3a| application/octet-stream"; http_header; 
>> reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
>> classtype:trojan-activity; sid:10000109; rev:1;)
>> 
>> Tested for errors, but not much more (it's late :P)
>> 
>> James
>> 
> 
> Sloppy work…changed here:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Pony Checkin"; flow:to_server,established; content:"POST"; http_method; content:"HTTP|2f|1.0"; pcre:”/\x2f[a-f0-9]{10,12}\x2f[a-f0-9]{10,12}/Ui"; content:"Content-Type|3a| application/octet-stream"; http_header; reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; classtype:trojan-activity; sid:10000109; rev:1;)


Thanks James, we’ll have someone take a look!

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131031/04f98b33/attachment.html>


More information about the Snort-sigs mailing list