<div dir="ltr">Yaser,<div><br></div><div>Thanks for your submission. We will review the rules and get back to you when they're finished. </div><div><br></div><div>Can you send the pcaps our way?</div><div><br></div><div>Regards,</div><div>Tyler Montier</div><div>Cisco Talos </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 22, 2018 at 7:29 AM, Y M via Snort-sigs <span dir="ltr"><<a href="mailto:snort-sigs@lists.snort.org" target="_blank">snort-sigs@lists.snort.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_-7914128933770980344divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0;margin-bottom:0"><span style="font-size:11pt">Hi,</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"><span style="font-size:11pt">The below two signatures are originally driven by the following references. The sample on VT is referenced in the signatures. Pcap is available. </span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<p style="margin-top:0;margin-bottom:0"></p>
<div><span style="font-size:11pt"><a class="m_-7914128933770980344OWAAutoLink" id="m_-7914128933770980344LPlnk581050" href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank">https://reaqta.com/2017/11/<wbr>muddywater-apt-targeting-<wbr>middle-east/</a> </span><br>
<span style="font-size:11pt"><a class="m_-7914128933770980344OWAAutoLink" id="m_-7914128933770980344LPlnk259469" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank">https://researchcenter.<wbr>paloaltonetworks.com/2017/11/<wbr>unit42-muddying-the-water-<wbr>targeted-attacks-in-the-<wbr>middle-east/</a> </span><br>
<span style="font-size:11pt"><a class="m_-7914128933770980344OWAAutoLink" id="m_-7914128933770980344LPlnk86441" href="http://blog.morphisec.com/fileless-attack-framework-discovery" target="_blank">http://blog.morphisec.com/<wbr>fileless-attack-framework-<wbr>discovery</a> </span><br>
<a class="m_-7914128933770980344OWAAutoLink" id="m_-7914128933770980344LPlnk67433" href="https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/" target="_blank"><span style="font-size:11pt">https://blog.malwarebytes.com/<wbr>threat-analysis/2017/09/<wbr>elaborate-scripting-fu-used-<wbr>in-espionage-attack-against-<wbr>saudi-arabia-government_<wbr>entity/</span></a></div>
<div><br>
</div>
<div><span style="font-size:11pt">Opted for two separate signatures as opposed to using pcre.</span></div>
<div><br>
</div>
<div>
<div><span style="font-family:Consolas,Courier,monospace;font-size:10pt">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerStat variant outbound connection to proxy"; flow:to_server,established; urilen:>50; content:"GET";
 http_method; content:".php?c="; http_uri; fast_pattern:only; content:"Connection|3A 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Cookie"; http_header; content:!"Content";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://www.virustotal.com/#/file/16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db/detection" target="_blank">www.virustotal.<wbr>com/#/file/<wbr>16985600c959f6267476da614243a5<wbr>85b1b222213ec938351ef6a26560c9<wbr>92db/detection</a>; classtype:trojan-activity; sid:9000004; rev:2;)</span></div>
<div><span style="font-family:Consolas,Courier,monospace;font-size:10pt"></span><br>
<span style="font-family:Consolas,Courier,monospace;font-size:10pt">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PowerStat variant outbound connection to proxy"; flow:to_server,established; urilen:>50; content:"GET";
 http_method; content:".aspx?c="; http_uri; fast_pattern:only; content:"Connection|3A 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Cookie"; http_header; content:!"Content";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://www.virustotal.com/#/file/16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db/detection" target="_blank">www.virustotal.<wbr>com/#/file/<wbr>16985600c959f6267476da614243a5<wbr>85b1b222213ec938351ef6a26560c9<wbr>92db/detection</a>; classtype:trojan-activity; sid:9000005; rev:2;)</span></div>
</div>
<div><br>
</div>
<div><span style="font-size:11pt">Thanks.</span></div><span class="HOEnZb"><font color="#888888">
<div><span style="font-size:11pt">YM</span><br>
</div>
<br>
<p></p>
</font></span></div>
</div>

<br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org">Snort-sigs@lists.snort.org</a><br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-sigs</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Please follow these rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" target="_blank">https://snort.org/faq/what-is-<wbr>the-mailing-list-etiquette</a><br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br>
<br></blockquote></div><br></div>