[Snort-sigs] JackPOS sig

Joel Esler (jesler) jesler at ...3865...
Fri Feb 14 11:39:57 EST 2014


James,

This (and one more) have been committed:
29816
29817


--
Joel Esler
Threat Intelligence Team Lead
Open Source Manager
Vulnerability Research Team

On Feb 11, 2014, at 7:21 PM, Joel Esler <jesler at ...3865...<mailto:jesler at ...202....3865...>> wrote:

Thanks James, we’ll get this in!

--
Joel Esler
Threat Intelligence Team Lead
Open Source Manager
Vulnerability Research Team

On Feb 11, 2014, at 6:09 PM, James Lay <jlay at ...3266...<mailto:jlay at ...3792......>> wrote:

On 2014-02-11 13:46, James Lay wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
User-Agent detected"; flow:to_server,established; file_data;
content:"User-Agent|3A|something"; http_header; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service
http;

reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html<http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html>;

classtype:trojan-activity; sid:10000125; rev:1;)

PoS Malware..what a pain.

James


Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Heh... @Rmkl to the rescue again:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
User-Agent detected"; flow:to_server,established; file_data;
content:"User-Agent|3A 20|something"; http_header; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service
http;
reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html<http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html>;
classtype:trojan-activity; sid:10000125; rev:2;)

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140214/fbb0a105/attachment.html>


More information about the Snort-sigs mailing list