[Snort-sigs] FindPOS sig

James Lay jlay at ...3266...
Thu Mar 19 16:34:35 EDT 2015


Quick and dirty and sanity checked only.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
FindPOS C&C"; flow:to_server,established; content:"POST"; http_method; 
content:"uid="; fast_pattern; http_client_body; content:"win="; 
http_client_body; content:"vers="; http_client_body; content:"logs="; 
http_client_body; metadata:impact_flag red, policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered; 
classtype:trojan-activity; sid:10000155; rev:1;)

James




More information about the Snort-sigs mailing list