[Snort-sigs] Osx.Trojan.OceanLotus

Tyler Montier tmontier at ...435...
Fri Feb 17 15:43:43 EST 2017


Yaser,

Thanks for your submission. We will review the rule and get back to you
when its finished.

Sincerely,

Tyler Montier
Cisco Talos

On Fri, Feb 17, 2017 at 11:18 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> This one is a bit old, but I did not find an existing signature for it.
> The signature is derived from the reference article. No pcaps available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.OceanLotus outbound connection attempt";
> flow:to_server,established; content:"GET"; http_method;
> content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri;
> content:"?q="; http_uri; content:!"User-Agent"; http_header;
> content:!"Connection"; http_header; metadata:ruleset community, service
> http; reference:url,www.alienvault.com/blogs/labs-research/
> oceanlotus-for-os-x-an-application-bundle-pretending-
> to-be-an-adobe-flash-update; classtype:trojan-activity; sid:1000843;
> rev:1;)
>
>
> Thanks.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/66866362/attachment.html>


More information about the Snort-sigs mailing list