Snort mailing list archives
Re: Blackrev C2 sigs
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Jun 2013 11:34:35 -0400
James, There were actually 25 total rules written for this, we gave credit to you for all of them and released them in the community ruleset as of last night. Thanks! -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On May 21, 2013, at 5:17 PM, Patrick Mullen <pmullen () sourcefire com> wrote:
Thanks, James! They should be in tonight's community build as sids 26713-26715. ~Patrick On Tue, May 21, 2013 at 4:25 PM, James Lay <jlay () slave-tothe-box net> wrote:Enjoy: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev Rev 1 C2 Traffic"; content:"GET"; http_method; content:"gate.php|3f|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/m"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community service http; reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:10000066; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev Rev 2 C2 Traffic"; content:"GET"; http_method; content:"gate.php|3f|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{15}/mi"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community service http; reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:10000067; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev Rev 3 C2 Traffic"; content:"GET"; http_method; content:"gate.php|3f|id="; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/mi"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community service http; reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:10000068; rev:1;) Lot's of good info on that reference link. James ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!-- Patrick Mullen Response Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Blackrev C2 sigs James Lay (May 21)
- Re: [Emerging-Sigs] Blackrev C2 sigs Will Metcalf (May 21)
- Re: Blackrev C2 sigs Patrick Mullen (May 21)
- Re: Blackrev C2 sigs Joel Esler (Jun 04)
- Re: Blackrev C2 sigs James Lay (Jun 04)
- Re: Blackrev C2 sigs Joel Esler (Jun 04)