[Snort-sigs] JackPOS sig

James Lay jlay at ...3266...
Tue Feb 11 18:09:02 EST 2014


On 2014-02-11 13:46, James Lay wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
> User-Agent detected"; flow:to_server,established; file_data;
> content:"User-Agent|3A|something"; http_header; fast_pattern:only;
> metadata:policy balanced-ips drop, policy security-ips drop, service
> http;
> 
> reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html;
>
> classtype:trojan-activity; sid:10000125; rev:1;)
>
> PoS Malware..what a pain.
>
> James


> Please visit http://blog.snort.org for the latest news about Snort!

Heh... @Rmkl to the rescue again:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS 
User-Agent detected"; flow:to_server,established; file_data; 
content:"User-Agent|3A 20|something"; http_header; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; 
reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html; 
classtype:trojan-activity; sid:10000125; rev:2;)




More information about the Snort-sigs mailing list