<div dir="ltr"><div>Dear Yaser,</div><div><br></div><div>Thanks for your submission. We will review and test the rules and get back to you when they're finished. </div><div><br></div><div>Do you have any pcaps or hashes of the malware available?</div><div><br></div><div>Sincerely</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 10, 2017 at 4:07 AM, Y M <span dir="ltr"><<a href="mailto:snort@...3713...51..." target="_blank">snort@...3751...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_-8863777062944933732divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hello, </p>
<p><br>
</p>
<p>Below two signatures detect the initial JS downloader and post-infection C&C.</p>
<p><br>
</p>
<p></p>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant JS downloader outbound connection"; flow:to_server,established; urilen:<100; content:"GET"; http_method;
 content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|"; http_header; content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header; pcre:"/\/counter\/\x3f\w+/U"; metadata:ruleset community, service http; classtype:trojan-activity;
 sid:1000821; rev:1;)</span></div>
<div><span style="font-size:9pt;font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; dsize:55<>205; content:!" HTTP/"; content:"|00
 00 00|"; offset:1; metadata:ruleset community; classtype:trojan-activity; sid:1000822; rev:1;)</span></div>
<br>
<p></p>
<p>Thank you.</p><span class="HOEnZb"><font color="#888888">
<p>YM</p>
</font></span></div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br></blockquote></div><br></div>