Snort mailing list archives
Rovnix Rule
From: Y M <snort () outlook com>
Date: Mon, 5 Aug 2013 17:43:52 +0000
Probably being cooked already, and maybe enhanced further more as the Rovnix behavior is far more complex: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; content:"GET"; content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3a 20|FWVersionTestAgent|0d 0a|"; fast_pattern:only; metadata:impact-flag red,policy balanced-ips drop,policy security-ips drop,rulest community,service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:112233; rev:1;) There is another potential rule in the pcap referenced (first reference) in the form of a "BLACKLIST DNS request" but I think the one above is more relevant. Any ideas to make it better is always welcome. Thanks.YM
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rovnix Rule Y M (Aug 05)
- Re: Rovnix Rule Joel Esler (Aug 05)