<div dir="ltr">Yaser,<div><br></div><div>Thank you for your submission. We will review the rules and get back to you when they're finished.</div><div><br></div><div>Sincerely,</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 9, 2017 at 1:49 AM, Y M <span dir="ltr"><<a href="mailto:snort@...3751..." target="_blank">snort@...3751...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_6086700328200689252divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<p><span id="m_6086700328200689252ms-rterangepaste-start"></span></p>
<div>Hello,</div>
<div><br>
</div>
<div>The below rules were derived from the reference article. Reviewing the existing signature sid:32670, it may hit on the initial outbound connection. Subsequent traffic may not trigger the rule given the HTTP headers differences. No pcap is available for
 this one. If these rules seem redundant, please ignore them.</div>
<div><br>
</div>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php";
 fast_pattern:only; http_uri; content:"Cookie|3A 20|auth="; http_header; content:"ZW50ZXI="; http_client_body; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,<a href="http://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/" target="_blank">blog.<wbr>malwarebytes.com/threat-<wbr>analysis/2017/02/new-neutrino-<wbr>bot-comes-in-a-protective-<wbr>loader/</a>;
 reference:url,<a href="http://www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab/analysis/" target="_blank">www.virustotal.<wbr>com/en/file/<wbr>45abc50e837a3e0c4df842fe8c3aa5<wbr>4e103d690d67f89d78059878bd3acc<wbr>67ab/analysis/</a>; classtype:trojan-activity; sid:1000873; rev:1;)</span></div>
<div><span style="font-size:9pt;font-family:Consolas,monospace"><br>
</span></div>
<span style="font-size:9pt;font-family:Consolas,monospace"></span>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot success inbound connection"; flow:to_client,established; content:"404"; http_stat_code; file_data;
 content:"<!---c3VjY2Vzcw==---><wbr>"; metadata:ruleset community, service http; reference:url,<a href="http://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/" target="_blank">blog.<wbr>malwarebytes.com/threat-<wbr>analysis/2017/02/new-neutrino-<wbr>bot-comes-in-a-protective-<wbr>loader/</a>; reference:url,<a href="http://www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab/analysis/" target="_blank">www.virustotal.<wbr>com/en/file/<wbr>45abc50e837a3e0c4df842fe8c3aa5<wbr>4e103d690d67f89d78059878bd3acc<wbr>67ab/analysis/</a>;
 classtype:trojan-activity; sid:1000874; rev:1;)</span></div>
<div><span style="font-size:9pt;font-family:Consolas,monospace"><br>
</span></div>
<span style="font-size:9pt;font-family:Consolas,monospace"></span>
<div><span style="font-size:9pt;font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NeutrinoBot outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php";
 fast_pattern:only; http_uri; content:"Cookie|3A 20|auth="; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:"|20|form-data|3B|<wbr>name=|22|fname|22|"; content:"|20|form-data|3B 20|name=|22|data|22|"; content:!"Accept"; http_header; content:!"Referer";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/" target="_blank">blog.<wbr>malwarebytes.com/threat-<wbr>analysis/2017/02/new-neutrino-<wbr>bot-comes-in-a-protective-<wbr>loader/</a>; reference:url,<a href="http://www.virustotal.com/en/file/45abc50e837a3e0c4df842fe8c3aa54e103d690d67f89d78059878bd3acc67ab/analysis/" target="_blank">www.virustotal.<wbr>com/en/file/<wbr>45abc50e837a3e0c4df842fe8c3aa5<wbr>4e103d690d67f89d78059878bd3acc<wbr>67ab/analysis/</a>;
 classtype:trojan-activity; sid:1000875; rev:1;)</span></div>
<div><br>
</div>
<div>Thanks.</div><span class="HOEnZb"><font color="#888888">
<div>YM</div>
<span id="m_6086700328200689252ms-rterangepaste-end"></span><br>
<p></p>
</font></span></div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Announcing the Oxford Dictionaries API! The API offers world-renowned<br>
dictionary content that is easy and intuitive to access. Sign up for an<br>
account today to start using our lexical data to power your apps and<br>
projects. Get started today and enter our developer competition.<br>
<a href="http://sdm.link/oxford" rel="noreferrer" target="_blank">http://sdm.link/oxford</a><br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br></blockquote></div><br></div>