[Snort-sigs] Trojan Linkup sig

Carlos Pacho cpacho at ...435...
Tue Feb 4 16:15:11 EST 2014


We will get this rule added to the community ruleset.

Thanks!

Carlos Pacho
Research Engineer, VRT
Sourcefire, now part of Cisco
cpacho at ...435...
Sourcefire.com <http://www.sourcefire.com/>


On Tue, Feb 4, 2014 at 1:24 PM, Y M <snort at ...3751...> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Linkup outbound connection attempt"; flow:to_server,established;
> content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20;
> http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token=";
> http_client_body; fast_pattern:only; metadata: impact_flag red, policy
> balanced-ips drop, policy security-drop ips, ruleset community, service
> http; reference:url,
> blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/;
> classtype:trojan-activity; sid: 100155; rev:1;)
>
> Thanks
> YM
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140204/5f178c44/attachment.html>


More information about the Snort-sigs mailing list