Snort mailing list archives
Asprox Sig
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 12 Nov 2013 14:05:16 -0700
Ok..so how bad did I hose this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Asprox Outbound Traffic"; flow:to_server, established; content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b| WOW64|3b| rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only; http_header; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; classtype:bad-unknown; sid:10000111; rev:1;) James ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Asprox Sig James Lay (Nov 12)
- <Possible follow-ups>
- Fwd: Re: Asprox Sig James Lay (Nov 12)