[Snort-sigs] JackPOS sig

James Lay jlay at ...3266...
Fri Feb 14 12:04:00 EST 2014


On 2014-02-14 09:39, Joel Esler (jesler) wrote:
> James,
>
> This (and one more) have been committed:
> 29816
> 29817
>
> --
>  JOEL ESLER
>  Threat Intelligence Team Lead
>  Open Source Manager
>  Vulnerability Research Team
>
> On Feb 11, 2014, at 7:21 PM, Joel Esler <jesler at ...3865... [7]> wrote:
>
>> Thanks James, we’ll get this in!
>>
>> --
>> JOEL ESLER
>> Threat Intelligence Team Lead
>> Open Source Manager
>> Vulnerability Research Team
>>
>> On Feb 11, 2014, at 6:09 PM, James Lay <jlay at ...3266...
>> [6]> wrote:
>>
>>> On 2014-02-11 13:46, James Lay wrote:
>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
>>>> JackPOS
>>>> User-Agent detected"; flow:to_server,established; file_data;
>>>> content:"User-Agent|3A|something"; http_header;
>>>> fast_pattern:only;
>>>> metadata:policy balanced-ips drop, policy security-ips drop,
>>>> service
>>>> http;
>>>>
>>>>
>>>
>>
> 
> reference:url,blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html
>>>> [1];
>>>>
>>>> classtype:trojan-activity; sid:10000125; rev:1;)
>>>>
>>>> PoS Malware..what a pain.
>>>>
>>>> James
>>>

Thanks Joel...let's hope nobody ever sees it...bad scene :(

James




More information about the Snort-sigs mailing list