[Snort-sigs] Detection for "niki-bot" and "Awesome Screenshot URL" spyware

Tony Robinson deusexmachina667 at ...2420...
Thu Aug 14 11:52:54 EDT 2014


Source: https://mig5.net/content/awesome-screenshot-and-niki-bot

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT niki-bot"; flow:to_server,established;
content:"User-Agent|3A| niki-bot"; fast_pattern:only; http_header;
metadata:policy security-ips drop, service http;
classtype:attempted-recon;
reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI POST request to /service2"; flow:to_server,established;
content:"POST"; http_method; content:"/service2"; fast_pattern:only;
http_uri; metadata:policy security-ips drop, service http;
classtype:successful-recon-limited;
reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
sid:1000001; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain s1821.crdui.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|s1821|05|crdui|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
classtype:attempted-recon; sid:1000002; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain webovernet.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|webovernet|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
classtype:attempted-recon; sid:1000003; rev:1;)

-- 
when does reality end? when does fantasy begin?




More information about the Snort-sigs mailing list