[Snort-sigs] Trojan Linkup sig

Y M snort at ...3751...
Tue Feb 4 21:46:38 EST 2014

Thanks Carlos.
Date: Tue, 4 Feb 2014 16:15:11 -0500
Subject: Re: [Snort-sigs] Trojan Linkup sig
From: cpacho at ...435...
To: snort at ...3751...
CC: snort-sigs at lists.sourceforge.net

We will get this rule added to the community ruleset.

Carlos Pacho
Research Engineer, VRT

Sourcefire, now part of Cisco
cpacho at ...435...

On Tue, Feb 4, 2014 at 1:24 PM, Y M <snort at ...3751...> wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; urilen:20; http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; http_client_body; fast_pattern:only; metadata: impact_flag red, policy balanced-ips drop, policy security-drop ips, ruleset community, service http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid: 100155; rev:1;)



Managing the Performance of Cloud-Based Applications

Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.

Read the Whitepaper.


Snort-sigs mailing list

Snort-sigs at lists.sourceforge.net



Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140205/6cbe80ec/attachment.html>

More information about the Snort-sigs mailing list