Snort mailing list archives
Re: Win.Trojan.Dunihi
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 9 May 2018 03:13:22 +0000
What are you trying to do? Download the rule? You have to be a paid subscriber, download the ruleset, and then you can get the rule from inside the tarball, along with all of our other up to date rules. Sent from my iPad On May 8, 2018, at 11:11 PM, Ernest Johnson <ernest.johnson2 () gmail com<mailto:ernest.johnson2 () gmail com>> wrote: Do i just log in and do a search for it? On Tue, May 8, 2018, 8:29 PM Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: We do have a rule for GandCrab malware. It's sid 45694. Available in our subscriber ruleset at https://www.snort.org/downloads#rules -- Joel Esler Sr. Manager Open Source, Design, Web, and Education Talos Group http://www.talosintelligence.com On May 8, 2018, at 10:23 AM, Ernest Johnson via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: Phill do you have a signature for Gand Crab Ransomware to alert or block it ? On Mon, May 7, 2018 at 12:06 PM, Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: [Boxbe]<https://www.boxbe.com/overview> [http://www.boxbe.com/stfopen?tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001] This message is eligible for Automatic Cleanup! (snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>) Add cleanup rule<https://www.boxbe.com/popup?url=https%3A%2F%2Fwww.boxbe.com%2Fcleanup%3Fkey%3DIk6H7YmJlqLVFBg5q%252FXyPeMCjrDP%252BTGxm6dIFxTyM4I%253D%26token%3DaDn4g3lOf29q0IDXR%252F24FVz6eC12yhKWSZBWSDTcvHDTnWhCGMPt%252BVMWzbVL633ogkDfWBhr2Im415Cp0zmDS%252FdEX65I0bD9gOYkvSvXo0PDoRacZfL2WX%252BQQrL5aEuiTJoAi136s5uciXhxfHNS9Q%253D%253D&tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001> | More info<http://blog.boxbe.com/general/boxbe-automatic-cleanup?tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001> Hi, Pcap is available for this as retrieved from the reference. # -------------------- # Date: 2018-05-07 # Title: JacksBot, Dunihi # Tests: pcap # Reference: https://twitter.com/James_inthe_box/status/993508601862832130, https://app.any.run/tasks/7533e2da-24b1-424c-8624-dbb764852020 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/is-ready"; fast_pattern:only; http_uri; content:"|3C 7C 3E|"; http_header; metadata:ruleset community, service http; reference:url,twitter.com/James_inthe_box/status/993508601862832130<http://twitter.com/James_inthe_box/status/993508601862832130>; reference:url,www.virustotal.com/#/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/detection<http://www.virustotal.com/#/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/detection>; classtype:trojan-activity; sid:8000048; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! -- Ernest Johnson 504 621 2520 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Dunihi Y M via Snort-sigs (May 07)
- Re: Win.Trojan.Dunihi Phillip Lee (May 07)
- <Possible follow-ups>
- Re: Win.Trojan.Dunihi Ernest Johnson via Snort-sigs (May 08)
- Re: Win.Trojan.Dunihi Joel Esler (jesler) via Snort-sigs (May 08)
- Re: Win.Trojan.Dunihi Ernest Johnson via Snort-sigs (May 08)
- Re: Win.Trojan.Dunihi Joel Esler (jesler) via Snort-sigs (May 08)
- Re: Win.Trojan.Dunihi Joel Esler (jesler) via Snort-sigs (May 08)