Snort mailing list archives
Re: Rovnix UA sig
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Aug 2013 15:00:21 -0400
I cleaned up and committed Yaser's version since it came in first. Thanks all. On Mon, Aug 05, 2013 at 12:51:55PM -0600, James Lay wrote:
Ya YM and I played dueling Send buttons I guess :) Thanks Joel! James On 2013-08-05 12:14, Joel Esler wrote:Thanks James. YM just submitted something very similar. On Mon, Aug 5, 2013 at 1:43 PM, James Lay <jlay () slave-tothe-box net [7]> wrote:Im sure theres other things to match as well: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Rovnix UA detected"; content:"User-Agent|3a| FWVersionTestAgent"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http;reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap[1]; classtype:trojan-activity; sid:10000088; rev:1;) James------------------------------------------------------------------------------Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out.http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk[2] _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net [3] https://lists.sourceforge.net/lists/listinfo/snort-sigs [4] http://www.snort.org [5] Please visit http://blog.snort.org [6] for the latest news about Snort!-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire Links: ------ [1] http://blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap [2] http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk [3] mailto:Snort-sigs () lists sourceforge net [4] https://lists.sourceforge.net/lists/listinfo/snort-sigs [5] http://www.snort.org [6] http://blog.snort.org [7] mailto:jlay () slave-tothe-box net------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rovnix UA sig James Lay (Aug 05)
- Re: Rovnix UA sig Joel Esler (Aug 05)
- Re: Rovnix UA sig James Lay (Aug 05)
- Re: Rovnix UA sig Joel Esler (Aug 05)
- Re: Rovnix UA sig Y M (Aug 05)
- Re: Rovnix UA sig James Lay (Aug 05)
- Re: Rovnix UA sig James Lay (Aug 05)
- Re: Rovnix UA sig Joel Esler (Aug 05)