[Snort-sigs] Trojan Linkup sig

Y M snort at ...3751...
Tue Feb 4 13:24:11 EST 2014


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; http_client_body; fast_pattern:only; metadata: impact_flag red, policy balanced-ips drop, policy security-drop ips, ruleset community, service http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid: 100155; rev:1;)
 
Thanks
YM
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140204/aa4429df/attachment.html>


More information about the Snort-sigs mailing list