[Snort-sigs] Win.Trojan.Fareit signature

Tyler Montier tmontier at sourcefire.com
Mon Jan 8 10:57:33 EST 2018


Yaser,

Thanks for your submission. we will review the rules and get back to you
when they're finished.

Since you have pcaps, can you send them our way?

Sincerely,

Tyler Montier,
Cisco Talos


On Thu, Jan 4, 2018 at 1:22 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
>
> The detection for the client_body is clumsy in this one since it appears
> to be dynamic and changes on each request. One request had post body
> variables that can be sig'ed but it wouldn't trigger on other requests.
> Pcap is available for this one.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Fareit/VBKrypt/Neurevt outbound connection";
> flow:to_server,established; content:"POST"; http_method; content:".php";
> fast_pattern:only; http_uri; content:"Content-Type|3A
> 20|application/x-www-form-urlencoded|0D 0A|"; http_header;
> content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:"=";
> depth:10; http_client_body; content:"&"; distance:0; http_client_body;
> content:!"Connection"; http_header; content:!"Accept"; http_header;
> content:!"Referer"; http_header; metadata:ruleset community, service http;
> reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b
> 530943ff08d5e04308d695f473e74f9600/analysis/; classtype:trojan-activity;
> sid:9000007; rev:1;)
>
>
> Thanks.
>
> YM
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180108/f2cbda61/attachment.html>


More information about the Snort-sigs mailing list