[Snort-sigs] Offer a new sig for detecting JS_JITON Malware

rmkml rmkml at ...4129...
Mon Apr 11 15:48:52 EDT 2016


First, Thx @TrendMicro for sharing,

The http://etplc.org open source project offer a new sig for detecting JS_JITON:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC JS_JITON Malware possible attempt"; flow:to_server,established;
content:".tongjii."; nocase; http_header; content:".js"; nocase; http_uri; pcre:"/Host\x3a[^\r\n]*?\.tongjii\./Hi";
classtype:misc-attack; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.


More information about the Snort-sigs mailing list