<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>This one is a bit old, but I did not find an existing signature for it. The signature is derived from the reference article. No pcaps available.</p>
<p><br>
</p>
<p><span style="font-size: 9pt; font-family: Consolas, monospace;">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"GET"; http_method; content:"/sigstore.db?";
 fast_pattern:only; content:"k="; http_uri; content:"?q="; http_uri; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update;
 classtype:trojan-activity; sid:1000843; rev:1;)</span><br>
</p>
<p><span><br>
</span></p>
<p><span>Thanks.</span></p>
<p><span>YM</span></p>
</div>
</body>
</html>