[Snort-sigs] Osx.Trojan.OceanLotus

Y M snort at ...3751...
Fri Feb 17 11:18:41 EST 2017


Hello,


This one is a bit old, but I did not find an existing signature for it. The signature is derived from the reference article. No pcaps available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; http_uri; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:1000843; rev:1;)


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/b748f81a/attachment.html>


More information about the Snort-sigs mailing list