[Snort-sigs] Wirelurker A and B
jlay at ...3266...
Thu Nov 6 11:47:19 EST 2014
May help someone somewhere...a quick search of
http://www.ua-tracker.com/ showed no known UA with globalupdate, so I
figured I'd just look for that and be done with it.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service http; reference:
classtype:trojan-activity; sid:10000138; rev:1;)
Rev C uses encrypted channels, so uh...hope you don't get C. As always
fixes are welcome.
More information about the Snort-sigs