[Snort-sigs] MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188)

Elliot Anderson new.http.451 at ...2420...
Tue Jan 19 15:56:22 EST 2016

Hello all,

Anybody struggled with the 1:33188 sig previously. The thing is that this signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection”; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; content:"Host|3A 20|www.ecb.europa.eu <http://www.ecb.europa.eu/>|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:4; )

Quite often triggers on legitimate traffic not associated with any CNC connections, just simple browsing and request for file from the European Central Bank (ECB) which contains the last 90 days of “Euro foreign exchange reference rates” and is updated daily. However Trojan Bedep uses it as part of DGA scheme.

Are there any supplement signatures for this activity cause this one isn't working exactly the way we would like and expect it to work.

Thanks for any comments,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160119/8f0b8012/attachment.html>

More information about the Snort-sigs mailing list