[Snort-sigs] Win32/64 Napolar sig
jlay at ...3266...
Wed Sep 25 16:29:54 EDT 2013
On 2013-09-25 14:21, Nick Randolph wrote:
> I would bet that the USER_NAME and COMP_NAME are variable depending
> the victim. Avast might have removed them to hide some internal data.
> They did include some hashes so Ill run those through our sandbox and
> let you know what I see.
> On Wed, Sep 25, 2013 at 3:30 PM, James Lay <jlay at ...3266...
> > wrote:
>> First attempt...hope it doesnt stink :)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> W32/64.Napolar initial POST"; flow:to_server, established;
>> content:"|26|u=USER_NAME|26|c=COMP_NAME|26|s="; fast_pattern:only;
>> metadata:policy balanced-ips drop, policy security-ips drop,
>> http, ruleset community;
>> classtype:trojan-activity; sid:10000099; rev:1;)
Thanks Nick...wasn't sure either, but eh...didn't have that much to go
on :) Seemed neat though...32/64 and all.
More information about the Snort-sigs