[Snort-sigs] Osx.Adware.Pirrit

Y M snort at ...3751...
Fri Feb 17 11:21:33 EST 2017


Hello,


Sorry for the noise [😊] . This one is also a bit old and I did not find existing signatures for it. Like the one before, the signatures were derived from the reference article. No pcaps are available.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Pirrit outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/engine/getData.php?"; fast_pattern:only; content:"type=service"; http_uri; content:"&file="; http_uri; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000844; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Pirrit outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cld?mid="; fast_pattern:only; content:"&ct="; http_uri; content:"User-Agent|3A 20|curl"; http_header; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000845; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Pirrit outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/update-effect?mid="; fast_pattern:only; content:"&st="; content:"User-Agent|3A 20|curl"; http_header; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000846; rev:1;)


Thank you.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/a038ffe1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-?.png
Type: image/png
Size: 488 bytes
Desc: OutlookEmoji-?.png
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/a038ffe1/attachment.png>


More information about the Snort-sigs mailing list