[Snort-sigs] Visbot sig

James Lay jlay at ...3266...
Fri Dec 2 13:46:46 EST 2016


Meh:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Visbot UA detected"; flow:to_server,established; content:"User-Agent|3a 
20|Visbot"; fast_pattern:only; http_uri; metadata:policy balanced-ips 
drop, policy security-ips drop, service http; 
reference:url,www.bleepingcomputer.com/news/security/visbot-malware-found-on-6-691-magento-online-stores/; 
classtype:trojan-activity; sid:100000860; rev:1;)

Sanity tested only.

James




More information about the Snort-sigs mailing list