[Snort-sigs] KrakenHTTP botnet sig

Matt Mickel mmickel at ...435...
Thu Apr 30 14:53:27 EDT 2015


Hi, James-

This rule has been reviewed and committed to the community ruleset. In 
the committed version I used the within content modifier to enforce 
order and length.  Additionally, I changed the formatting from:

uricontent:"idcontact.php|3F|";

to

content:"idcontact.php|3F|"; http_uri;

Thanks for your contribution!  Best,

Matt Mickel


On 04/17/2015 11:03 AM, James Lay wrote:
> This might be old news, but didn't see any sigs so here's one for it:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> KrakenHTTP C&C Traffic Detected"; flow:established,to_server;
> uricontent:"idcontact.php|3F|"; uricontent:"=|26|steam=";
> uricontent:"|26|origin="; uricontent:"|26|webnavig=";
> uricontent:"|26|java=";
> reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1;
> classtype:bad-unknown; sid:10000157; rev:1;)
>
> Sanity tested only
>
> James
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150430/c8c07a91/attachment.html>


More information about the Snort-sigs mailing list