[Snort-sigs] Win.Trojan.Fareit signature

Y M snort at outlook.com
Thu Jan 4 13:22:25 EST 2018


Hi,


The detection for the client_body is clumsy in this one since it appears to be dynamic and changes on each request. One request had post body variables that can be sig'ed but it wouldn't trigger on other requests. Pcap is available for this one.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit/VBKrypt/Neurevt outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:"="; depth:10; http_client_body; content:"&"; distance:0; http_client_body; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e04308d695f473e74f9600/analysis/; classtype:trojan-activity; sid:9000007; rev:1;)


Thanks.

YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180104/aaa7e1ae/attachment.html>


More information about the Snort-sigs mailing list