[Snort-sigs] Bisonha C&C activity

Joel Esler jesler at ...435...
Wed Sep 4 11:36:31 EDT 2013


Thanks Paul!

On Sep 4, 2013, at 11:01 AM, Paul Bottomley <Paul.Bottomley at ...3813...> wrote:

> Afternoon,
>  
> 3001 is the only static match I can find… there may be something better to use?
> I’ve included {262,304} given there are 42 zeros at offset 0x83 and not sure if they are always used?
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bisonha C&C activity"; flow:to_server,established; content:"3001"; fast_pattern; http_uri; pcre:"/3001[0-9A-F]{262,304}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://bl0g.cedricpernet.net/; classtype:trojan-activity; sid:xxxxx; rev:1;)
>  
> 
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from 
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
> 
> ________________________________________________________________________
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130904/7e058ff0/attachment.html>


More information about the Snort-sigs mailing list