[Snort-sigs] Trojan Linkup sig

Y M snort at ...3751...
Tue Feb 4 21:46:38 EST 2014


Thanks Carlos.
 
YM
 
Date: Tue, 4 Feb 2014 16:15:11 -0500
Subject: Re: [Snort-sigs] Trojan Linkup sig
From: cpacho at ...435...
To: snort at ...3751...
CC: snort-sigs at lists.sourceforge.net

We will get this rule added to the community ruleset.

Thanks!
Carlos Pacho
Research Engineer, VRT

Sourcefire, now part of Cisco
cpacho at ...435...
Sourcefire.com


On Tue, Feb 4, 2014 at 1:24 PM, Y M <snort at ...3751...> wrote:




alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; http_client_body; fast_pattern:only; metadata: impact_flag red, policy balanced-ips drop, policy security-drop ips, ruleset community, service http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid: 100155; rev:1;)

 
Thanks
YM
 		 	   		  

------------------------------------------------------------------------------

Managing the Performance of Cloud-Based Applications

Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.

Read the Whitepaper.

http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________


Snort-sigs mailing list

Snort-sigs at lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140205/6cbe80ec/attachment.html>


More information about the Snort-sigs mailing list