phillile at sourcefire.com
Tue Apr 10 11:36:43 EDT 2018
After reviewing this rule, we have decided not to add it to the community ruleset. We have existing coverage via sid:46156 We appreciate your contribution.
> On Apr 3, 2018, at 9:37 AM, Phillip Lee <phillile at sourcefire.com> wrote:
> Thanks for your submission. We will review the rules and get back to you when they're finished.
> Phil Lee
> Cisco Talos
>> On Apr 3, 2018, at 9:11 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org <mailto:snort-sigs at lists.snort.org>> wrote:
>> The below rule is for Coldroot RAT. Unfortunately, I don't have a pcap for this one.
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Torjan.ColdRoot outbound connection"; flow:to_server,established; content:"|7B 22|Ver|22 3A|"; content:"|2C 22|RAM|22 3A|"; fast_pattern:only; content:"|2C 22|CAM|22 3A|"; content:"|2C 22|Serial|22 3A|"; content:"|2C 22|PCName|22 3A|"; content:"|2C 22|OS|22 3A|"; content:"|2C 22|ID|22 3A|"; content:"|2C 22|AW|22 3A|"; content:"|2C 22|AV|22 3A|"; metadata:ruleset community; reference:url,objective-see.com/blog/blog_0x2A.html <http://objective-see.com/blog/blog_0x2A.html>; reference:url,www.virustotal.com/#/file/ad99954171ca4a949c4d82f4851d29e6d19323087df92a7d7133c13950569f29/detection <http://www.virustotal.com/#/file/ad99954171ca4a949c4d82f4851d29e6d19323087df92a7d7133c13950569f29/detection>; classtype:trojan-activity; sid:9000048; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs