Snort mailing list archives
IP address check to anonymous-servers.com
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Fri, 25 Jul 2014 11:49:16 -0400
Hello, Got some interesting indicators from MalwareMustDie that there are some malware variants that check anonymous-servers.com/ip/ip.php to figure out where they're at. I wrote a couple of snort rules. Apologies if these have already been submitted. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI possible IP address check to anonymous-servers.com"; flow:to_server,established; content:"GET"; http_method; content:"/ip/ip.php"; fast_pattern:only; http_uri; metadata:security-ips drop service http; classtype:trojan-activity; sid:1000000; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request to anonymous-servers.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|anonymous-servers|03|com"; fast_pattern:only; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:1000001; rev:1;) comments? improvements? -- when does reality end? when does fantasy begin? ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- IP address check to anonymous-servers.com Tony Robinson (Jul 25)