<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Appreciate Joel,<div class=""><br class=""></div><div class="">drop a note here if you find out anything worth mentioning.</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">Elliot</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 19 Jan 2016, at 23:33, Joel Esler (jesler) <<a href="mailto:jesler@...180.....3865..." class="">jesler@...3865...</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">

<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Elliot —
<div class=""><br class="">
</div>
<div class="">I’ll have someone take a look at this.. However, have you looked at sid 35448?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
--</div>
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br class="">
</div>
<br class="Apple-interchange-newline" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span class=""><span id="cid:AB24196E-C2C1-4B75-8152-92E8AC5EBF39@...4130..."><image002.png></span></span><br class="Apple-interchange-newline" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<table width="543" border="0" cellpadding="0" cellspacing="0" style="letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; font-family: Times;" class="">
<tbody class="">
<tr class="">
</tr>
</tbody>
</table>
<table width="543" border="0" cellpadding="0" cellspacing="0" style="letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; font-family: Times;" class="">
<tbody class="">
<tr class="">
<td valign="top" align="left" nowrap="nowrap" style="padding-left: 24px; padding-bottom: 0px;" class=""><p style="font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: rgb(102, 102, 102);" class="">
<strong class=""><br class="Apple-interchange-newline">
Joel Esler</strong><br class="">
Manager, Open Source & Threat Intelligence<br class="">
Talos<br class="">
<a href="mailto:jesler@...3865..." style="color: rgb(102, 102, 102); text-decoration: none;" class="">jesler@...3865...</a><br class="">
</p>
</td>
<td valign="top" width="50%" style="padding-left: 20px; padding-bottom: 10px; padding-top: 15px;" class=""><p style="font-family: Arial, Helvetica, sans-serif; font-size: 11px; color: rgb(102, 102, 102);" class="">
<br class="">
<br class="">
</p>
</td>
</tr>
<tr class="">
<td colspan="3" class=""></td>
</tr>
</tbody>
</table>
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
<br class="">
</div>
<table width="543" border="0" cellpadding="0" cellspacing="0" style="letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; font-family: Times;" class="">
<tbody class="">
<tr class="">
<td valign="top" align="left" nowrap="nowrap" style="padding-left: 24px; padding-bottom: 0px;" class="">
<br class="">
</td>
<td valign="top" width="50%" style="padding-left: 20px; padding-bottom: 10px; padding-top: 15px;" class="">
<br class="">
</td>
</tr>
<tr class="">
<td colspan="3" class=""><br class="">
</td>
</tr>
</tbody>
</table>
</span></span></span></div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jan 19, 2016, at 3:56 PM, Elliot Anderson <<a href="mailto:new.http.451@...2420..." class="">new.http.451@...2420...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hello all,
<div class=""><br class="">
</div>
<div class="">Anybody struggled with the 1:33188 sig previously. The thing is that this signature:</div>
<div class=""><br class="">
</div>
<div class=""><font face="-apple-system-font" class=""><span style="line-height: 16px;" class="">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection”; flow:to_server,established; content</span></font><b style="font-family: -apple-system-font; line-height: 16px;" class="">:"/stats/eurofxref/eurofxref-hist-90d.xml</b><span style="font-family: -apple-system-font; line-height: 16px;" class="">";
 http_uri; content:"Host|3A 20|</span><a href="http://www.ecb.europa.eu/" style="font-family: -apple-system-font; line-height: 16px;" class="">www.ecb.europa.eu</a><span style="font-family: -apple-system-font; line-height: 16px;" class="">|0D 0A|"; fast_pattern:only;
 http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:4; )</span></div>
<div class=""><span style="font-family: -apple-system-font; line-height: 16px;" class=""><br class="">
</span></div>
<div class=""><font face="-apple-system-font" class=""><span style="line-height: 16px;" class="">Quite often triggers on legitimate traffic not associated with any CNC connections, just simple browsing and request for file </span></font><span style="font-family: -apple-system-font; line-height: 16px;" class="">from
 the European Central Bank (ECB) which contains the last 90 days of “Euro foreign exchange reference rates” and is updated daily. However Trojan Bedep uses it as part of DGA scheme.</span></div>
<div class=""><span style="font-family: -apple-system-font; line-height: 16px;" class=""><br class="">
</span></div>
<div class=""><font face="-apple-system-font" class=""><span style="line-height: 16px;" class="">Are there any supplement signatures for this activity cause this one isn't working exactly the way we would like and expect it to work.</span></font></div>
<div class=""><span style="font-family: -apple-system-font; line-height: 16px;" class=""><br class="">
</span></div>
<div class=""><span style="font-family: -apple-system-font; line-height: 16px;" class="">Thanks for any comments,</span></div>
<div class=""><font face="-apple-system-font" class=""><span style="line-height: 16px;" class="">Elliot</span></font></div>
</div>
------------------------------------------------------------------------------<br class="">
Site24x7 APM Insight: Get Deep Visibility into Application Performance<br class="">
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month<br class="">
Monitor end-to-end web transactions and take corrective actions now<br class="">
Troubleshoot faster and improve end-user experience. Signup Now!<br class="">
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________" class="">http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________</a><br class="">
Snort-sigs mailing list<br class="">
<a href="mailto:Snort-sigs@lists.sourceforge.net" class="">Snort-sigs@...184...ists.sourceforge.net</a><br class="">
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" class="">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br class="">
<a href="http://www.snort.org" class="">http://www.snort.org</a><br class="">
<br class="">
<br class="">
Please visit <a href="http://blog.snort.org" class="">http://blog.snort.org</a> for the latest news about Snort!</div>
</blockquote>
</div>
<br class="">
</div>
</div>

</div></blockquote></div><br class=""></div></body></html>