[Snort-sigs] Osx.Adware.IronCore

Tyler Montier tmontier at ...435...
Fri Feb 17 15:42:44 EST 2017


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Since you have a pcap available, could you send it my way?

Thanks,

Tyler Montier
Cisco Talos

On Fri, Feb 17, 2017 at 11:16 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> This came in as a "Surf Buyer" app for OS X. Any web page opens in
> Chrome/Safari/Firefox will result in a new tab opening/redirecting to a
> site with a self-signed certificate. Below rules are for detecting the
> outbound connections. Couldn't trigger on the self-signed certificate
> exchange! Pcap is available for this one.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.IronCore report status"; flow:to_server,established;
> content:"GET"; http_method; content:"/report/?application=";
> fast_pattern:only; http_uri; content:"&guid="; http_uri;
> content:"&details="; http_uri; content:"&action="; http_uri;
> content:!"Connection"; http_header; content:!"Referer"; http_header;
> metadata:ruleset community, service http; reference:url,virustotal.com/
> en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033
> ba1b/analysis/; classtype:trojan-activity; sid:1000841; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.IronCore ad inject"; flow:to_server,established; urilen:>1000;
> content:"GET"; http_method; content:"/click?h="; fast_pattern:only;
> http_uri; content:"&subid="; http_uri; content:"&data_fb="; http_uri;
> content:"&data_rtt="; http_uri; content:"&data_proto="; http_uri;
> content:"&data_ic="; content:"&data_ss="; http_uri; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,
> virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84
> 927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity;
> sid:1000842; rev:1;)
>
> Thanks.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/b1da257f/attachment.html>


More information about the Snort-sigs mailing list