<div dir="ltr">Yaser,<div><br></div><div>Thanks for your submission. We will review the rules and get back to you when they're finished. </div><div><br></div><div>Since you have pcaps available, can you send them my way?</div><div><br></div><div>Thanks,</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 3:22 PM, Y M <span dir="ltr"><<a href="mailto:snort@...3751..." target="_blank">snort@...3751...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_4075551242005816571divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p></p>
<div>This one is either detected as Zeus or Fareit by AV (because of the /gate.php...?). However, the host and network profiles/behavior do not match either, as far as I know. I used Yara to help with this and still no luck. It is somehow similar to sid:41442
 yet different. So I went ahead and called it "Isg" based on the HTTP responses. Please feel free in naming this one, or if any has seen this traffic before, please do let us know.</div>
<div><br>
</div>
<div>Additional details and pcaps are available.</div>
<br>
<p></p>
<p></p>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MLAWARE-CNC Win.Trojan.Isg getconfig request"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only;
 http_uri; content:"WebKitFormBoundary"; http_header; content:"|20|form-data|3B 20|name=|22|getconfig|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:ruleset community,
 service http; classtype:trojan-activity; sid:1000851; rev:1;)</span></div>
<div><br>
</div>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Isg getconfig response"; flow:to_client,established; file_data; content:"IS_G_PWDS:"; content:"IS_G_DOUBLE:";
 content:"IS_G_BROWSERS:"; content:"IS_G_COINS:"; content:"IS_G_SKYPE"; content:"IS_G_STEAM:"; content:"IS_G_DESKTOP"; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000852; rev:1;)</span></div>
<div><br>
</div>
<div>Thanks.</div><span class="HOEnZb"><font color="#888888">
<div>YM</div>
<br>
<p></p>
</font></span></div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br></blockquote></div><br></div>