<div dir="ltr"><div>Dear Yaser,</div><div><br></div><div>Thanks for your submission. We will review and test the rule and get back to you when they're finished. </div><div><br></div><div>Do you have any pcaps or hashes available?</div><div><br></div><div>Sincerely</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 10, 2017 at 4:12 AM, Y M <span dir="ltr"><<a href="mailto:snort@...3751..." target="_blank">snort@...3751...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_6412313912748679137divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>This one for Sage "2.0" ransomware performing its post-infection C&C. There are several samples circulating. I have seen references mentioning that Sage is a variant of CryLocker, but some of the samples generate the same UDP traffic observed from Cerber.
 The ransom notes also resembles that of Cerber.</p>
<p><br>
</p>
<p><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"
 / HTTP/1."; content:"Connection|3A 20|close|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,string,<wbr>dec,relative; byte_test:3,<,170,0,string,<wbr>dec,relative; content:!"User-Agent"; http_header; content:!"Accept";
 http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000824; rev:1;)</span><br>
</p>
<p><span><br>
</span></p>
<p><span>Thank you.</span></p><span class="HOEnZb"><font color="#888888">
<p><span>YM</span></p>
</font></span></div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br></blockquote></div><br></div>