[Snort-sigs] Osx.Adware.Pirrit

James Lay jlay at ...3266...
Fri Feb 17 11:31:22 EST 2017


Pace yourself YM!!!  LOL...NOT NOISE...this is great stuff..you do fine 
work my friend :)

James

On 2017-02-17 09:21, Y M wrote:
> Hello,
> 
> Sorry for the noise . This one is also a bit old and I did not find
> existing signatures for it. Like the one before, the signatures were
> derived from the reference article. No pcaps are available.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/engine/getData.php?";
> fast_pattern:only; content:"type=service"; http_uri; content:"&file=";
> http_uri; metadata:ruleset community, service http;
> reference:url,objective-see.com/blog/blog_0x0E.html;
> classtype:trojan-activity; sid:1000844; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/cld?mid="; fast_pattern:only;
> content:"&ct="; http_uri; content:"User-Agent|3A 20|curl";
> http_header; metadata:ruleset community, service http;
> reference:url,objective-see.com/blog/blog_0x0E.html;
> classtype:trojan-activity; sid:1000845; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/update-effect?mid=";
> fast_pattern:only; content:"&st="; content:"User-Agent|3A 20|curl";
> http_header; metadata:ruleset community, service http;
> reference:url,objective-see.com/blog/blog_0x0E.html;
> classtype:trojan-activity; sid:1000846; rev:1;)
> 
> Thank you.
> 
> YM
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> http://www.snort.org
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> Visit the Snort.org to subscribe to the official Snort ruleset, make
> sure to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!




More information about the Snort-sigs mailing list