[Snort-sigs] Pawn Storm sig

James Lay jlay at ...3266...
Wed Feb 4 14:11:01 EST 2015


YAY:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Pawn Storm UA (XAgent)"; flow:to_server,established; 
content:"User-Agent|3a| XAgent"; http_header; fast_pattern:only; 
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found; 
classtype:trojan-activity; sid:10000149; rev:1;)

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/

Sanity checked only.

James




More information about the Snort-sigs mailing list