[Snort-sigs] Assist with FrameworkPOS sig
jlay at ...3266...
Wed Oct 15 14:19:03 EDT 2014
I'm attempting to get something going for the below:
In a nutshell I'm trying to create a couple sigs to match:
This request is the heartbeat. The ID is a random ID generated during
the first execution of the malware. Encoded_data1 is the IP address of
the infected machine and encoded_data2 is the host name of the machine.
The ID is the same random ID as used in the example above and
encoded_data3 is a process name. The attackers receive the process name
each time a credit card number is found in the memory.
An example DNS request:
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS
beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon|1A|;
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns;
classtype:trojan-activity; sid:10000137; rev:1;)
What I don't have intel on is if the values before and after beacon and
alert change length. Is pcre a good fit for this? Or something else?
Thanks for looking all.
More information about the Snort-sigs