[Snort-sigs] KrakenHTTP botnet sig

James Lay jlay at ...3266...
Fri Apr 17 11:03:39 EDT 2015


This might be old news, but didn't see any sigs so here's one for it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
KrakenHTTP C&C Traffic Detected"; flow:established,to_server; 
uricontent:"idcontact.php|3F|"; uricontent:"=|26|steam="; 
uricontent:"|26|origin="; uricontent:"|26|webnavig="; 
uricontent:"|26|java="; 
reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; 
classtype:bad-unknown; sid:10000157; rev:1;)

Sanity tested only

James




More information about the Snort-sigs mailing list