Snort mailing list archives
Re: CobaltStrike certificate
From: wkitty42 () windstream net
Date: Mon, 12 Dec 2016 16:33:27 -0500
On 12/12/2016 03:30 PM, joshua burgess wrote:
That being said... What's wrong with this rule: alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)
is that extra space really in the thumb print? s/6e ce 5e/6e ce 5e/ ?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- CobaltStrike certificate joshua burgess (Dec 12)
- Re: CobaltStrike certificate rmkml (Dec 12)
- Re: CobaltStrike certificate Joel Esler (jesler) (Dec 12)
- Re: CobaltStrike certificate wkitty42 (Dec 12)