[Snort-sigs] Osx.Adware.Pirrit

Tyler Montier tmontier at ...435...
Fri Feb 17 15:45:16 EST 2017


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Thanks,

Tyler Montier
Cisco Talos

On Fri, Feb 17, 2017 at 11:21 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> Sorry for the noise [image: 😊]. This one is also a bit old and I did not
> find existing signatures for it. Like the one before, the
> signatures were derived from the reference article. No pcaps are available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/engine/getData.php?";
> fast_pattern:only; content:"type=service"; http_uri; content:"&file=";
> http_uri; metadata:ruleset community, service http; reference:url,
> objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity;
> sid:1000844; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/cld?mid="; fast_pattern:only;
> content:"&ct="; http_uri; content:"User-Agent|3A 20|curl"; http_header;
> metadata:ruleset community, service http; reference:url,objective-see.
> com/blog/blog_0x0E.html; classtype:trojan-activity; sid:1000845; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
> Osx.Adware.Pirrit outbound connection"; flow:to_server,established;
> content:"GET"; http_method; content:"/update-effect?mid=";
> fast_pattern:only; content:"&st="; content:"User-Agent|3A 20|curl";
> http_header; metadata:ruleset community, service http; reference:url,
> objective-see.com/blog/blog_0x0E.html; classtype:trojan-activity;
> sid:1000846; rev:1;)
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/42980593/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-?.png
Type: image/png
Size: 488 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/42980593/attachment.png>


More information about the Snort-sigs mailing list