[Snort-sigs] CobaltStrike certificate

wkitty42 at ...3507... wkitty42 at ...3507...
Mon Dec 12 16:33:27 EST 2016

On 12/12/2016 03:30 PM, joshua burgess wrote:
> That being said... What's wrong with this rule:
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert";
> flow:established,from_server; content:"|6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b
> a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)

is that extra space really in the thumb print?

s/6e ce  5e/6e ce 5e/


  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-sigs mailing list