[Snort-sigs] Signature for post infection c2 server contact

el cabezon elcabezzonn at ...2420...
Fri Sep 9 15:32:44 EDT 2016

This is a sig for a very particular UA i've seen contact several c2 servers
with the cctld .ru. Once it contacts the c2 additional payloads are dropped
on the infected host. Any recommendations or critiques on how to improve
the rule are welcome. Thank you.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Post Infection
C2 server contact"; flow:to_server,established; content:"POST";
http_method; content:!"|0A|Referer|3A|"; http_header;
content:"User-Agent|3A| Christmas Mystery "; http_header; nocase;
 sid:1000000004; rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160909/70ca4926/attachment.html>

More information about the Snort-sigs mailing list