[Snort-sigs] Assist with FrameworkPOS sig

James Lay jlay at ...3266...
Wed Oct 15 14:19:03 EDT 2014

Hey all,

I'm attempting to get something going for the below:


In a nutshell I'm trying to create a couple sigs to match:


This request is the heartbeat. The ID is a random ID generated during 
the first execution of the malware. Encoded_data1 is the IP address of 
the infected machine and encoded_data2 is the host name of the machine.


The ID is the same random ID as used in the example above and 
encoded_data3 is a process name. The attackers receive the process name 
each time a credit card number is found in the memory.

An example DNS request:


alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS 
beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon|1A|; 
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
policy security-ips drop, service dns; 
classtype:trojan-activity; sid:10000137; rev:1;)

What I don't have intel on is if the values before and after beacon and 
alert change length.  Is pcre a good fit for this?  Or something else?  
Thanks for looking all.


More information about the Snort-sigs mailing list