snort at outlook.com
Fri Apr 27 10:13:22 EDT 2018
I was not able to find information to write signatures of the TLS traffic. However, the malware listener accepts rather unique HTTP traffic according to the analysis in the reference. No pcaps available.
# Title: Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Proxysvc listener inbound execute command"; flow:to_server,established; content:"Content-Type|3A 20|8U7y3Ju387mVp49A"; fast_pattern:only; http_header; content:"Content-Length"; http_header; metadata:ruleset community, service http; reference:url,securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/; classtype:trojan-activity; sid:8000019; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs