[Snort-sigs] JackPOS sig

James Lay jlay at ...3266...
Tue Feb 11 18:13:02 EST 2014


On 2014-02-11 15:42, James Espinosa wrote:
> Thanks, James. Although, in the POST request referenced in the
> SpiderLabs blog, the user agent string has a space (ie. User-Agent:
> something). I also had issues producing an alert while testing. I
> removed the FILE_DATA keyword from the rule and it fired correctly
> (the user agent string is seen in requests going from internal to
> external (exfil), but not in the return traffic). Please correct me 
> if
> Im wrong, but perhaps this might work?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
> JackPOS User-Agent detected"; flow:to_server,established;
> content:"User-Agent|3A| something"; http_header;
> fast_pattern:only; metadata:policy balanced-ips drop, policy
> security-ips drop,
> 
> service http; reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html
> [7]; classtype:trojan-activity; sid:10000125; rev:1;)
>
> On Tue, Feb 11, 2014 at 2:46 PM, James Lay <jlay at ...3266...
> [8]> wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
>> JackPOS
>> User-Agent detected"; flow:to_server,established; file_data;
>> content:"User-Agent|3A|something"; http_header; fast_pattern:only;
>> metadata:policy balanced-ips drop, policy security-ips drop,
>> service
>> http;
>>
> 
> reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html
>> [1];
>> classtype:trojan-activity; sid:10000125; rev:1;)
>>
>> PoS Malware..what a pain.
>>
>> James

Ah thank you....ya my sig-fu is weak these days :(

James





More information about the Snort-sigs mailing list