[Snort-sigs] JackPOS sig

James Lay jlay at ...3266...
Tue Feb 11 15:46:54 EST 2014


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS 
User-Agent detected"; flow:to_server,established; file_data; 
content:"User-Agent|3A|something"; http_header; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; 
reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html; 
classtype:trojan-activity; sid:10000125; rev:1;)

PoS Malware..what a pain.

James




More information about the Snort-sigs mailing list