Snort mailing list archives

Re: Blackrev C2 sigs

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Jun 2013 11:34:35 -0400

James,

There were actually 25 total rules written for this, we gave credit to you for all of them and released them in the 
community ruleset as of last night.

Thanks!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 21, 2013, at 5:17 PM, Patrick Mullen <pmullen () sourcefire com> wrote:

Thanks, James!  They should be in tonight's community build as sids 26713-26715.


~Patrick

On Tue, May 21, 2013 at 4:25 PM, James Lay <jlay () slave-tothe-box net> wrote:

Enjoy:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BlackRev Rev 1 C2 Traffic"; content:"GET"; http_method;
content:"gate.php|3f|reg="; http_uri;
pcre:"/gate\x2ephp\x3freg=[a-z]{10}/m"; content:"User-Agent|3a|
Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community service http;
reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi;
classtype:trojan-activity; sid:10000066; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BlackRev Rev 2 C2 Traffic"; content:"GET"; http_method;
content:"gate.php|3f|reg="; http_uri;
pcre:"/gate\x2ephp\x3freg=[a-z]{15}/mi"; content:"User-Agent|3a|
Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community service http;
reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi;
classtype:trojan-activity; sid:10000067; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BlackRev Rev 3 C2 Traffic"; content:"GET"; http_method;
content:"gate.php|3f|id="; http_uri;
pcre:"/gate\x2ephp\x3fid=[a-z]{15}/mi"; content:"User-Agent|3a|
Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community service http;
reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi;
classtype:trojan-activity; sid:10000068; rev:1;)

Lot's of good info on that reference link.

James

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Blackrev C2 sigs James Lay (May 21)
- Re: [Emerging-Sigs] Blackrev C2 sigs Will Metcalf (May 21)
- Re: Blackrev C2 sigs Patrick Mullen (May 21)
  - Re: Blackrev C2 sigs Joel Esler (Jun 04)
    - Re: Blackrev C2 sigs James Lay (Jun 04)