[Snort-sigs] Mumblehard sig

James Lay jlay at ...3266...
Fri May 1 12:21:49 EDT 2015


....mumblehard..really?  ANYWAY:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible 
Mumblehard UA"; flow:to_server,established; content:"User-Agent|3a| 
Mozilla|2f|5.0 |28|Windows NT 6.1|3b| rv|3a|7.0.1|29| Gecko|2f|"; 
fast_pattern:only; content:"Firefox|2f|7.0.1"; 
reference:url,www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers' 
classtype:bad-unknown; sid:10000159; rev:1;)

if your org is REALLY running Firefox 7.0.1 (released in September 
2011), then chances are this WILL false.  Standard disclaimer of "fix it 
if it needs it" applies.  Sanity checked only.

James




More information about the Snort-sigs mailing list