Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple signatures 033

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 23 Jan 2020 19:12:09 +0000
Hello,

Below are some rules, mostly for keylogger variants. PCAPs are available.

Thank you.
YM

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Trojan.ReconDoc outbound connection"; 
flow:to_server,established; content:".php?id="; http_uri; base64_decode:relative; base64_data; 
content:"document_name:"; content:"|7C|computer_name:"; content:"|7C|user_name:"; metadata:ruleset community, service 
http; classtype:trojan-activity; sid:8000734; rev:1;)
-----
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,465,587] (msg:"MALWARE-CNC Win.Trojan.Phoenix/404 keylogger variant 
outbound SMTP connection"; flow:to_server,established; content:"Subject: "; content:"PSWD |7C| Client Name:"; 
within:50; fast_pattern; metadata:ruleset community; classtype:trojan-activity; sid:8000718; rev:1;)

alert tcp $HOME_NET any -> $EXTERMAL_NET [25,26,465,587] (msg:"MALWARE-CNC Win.Trojan.Phoenix/404 keylogger variant 
outbound SMTP connection"; flow:to_server,established; content:"IP:"; content:"Owner Name:"; content:"OS Name:"; 
content:"Platform:"; metadata:ruleset community; classtype:trojan-activity; sid:8000721; rev:1;)
-----
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,465,587] (msg:"MALWARE-CNC Win.Trojan.Orion keylogger outbound SMTP 
connection"; flow:to_server,established; content:"Subject: Orion Logger"; fast_pattern:only; metadata:ruleset 
community; classtype:trojan-activity; sid:8000725; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,465,587] (msg:"MALWARE-CNC Win.Trojan.Orion keylogger outbound SMTP 
connection"; flow:to_server,established; content:"System Details |7C|=3D="; content:"=0D=0AComputer Name:"; 
content:"=0D=0ACountry Name:"; metadata:ruleset community; classtype:trojan-activity; sid:8000726; rev:1;)
-----
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.AveMaria variant initial inbound connection"; 
flow:to_client,established; dsize:12; content:"|09 12 3B 42 2D 33 A2 44|"; depth:8; fast_pattern; content:"|01 86 73|"; 
distance:1; metadata:ruleset community; classtype:trojan-activity; sid:8000681; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AveMaria variant outbound connection 
response"; flow:to_server,established; content:"|09 12 3B 42|"; depth:4; fast_pattern; content:"|A2 44|"; distance:2; 
content:"|01 86 73|"; distance:1; metadata:ruleset community; classtype:trojan-activity; sid:8000682; rev:2;)
-----
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Doc.Trojan.HawkEye variant outbound FTP connection"; 
flow:to_server,established; content:"STOR HawkEyeReborn"; fast_pattern:only; metadata:ruleset community, service ftp; 
classtype:trojan-activity; sid:8000735; rev:1;)
-----
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,465,587] (msg:"MALWARE-CNC Win.Trojan.AspireLogger keylogger outbound 
SMTP connection"; flow:to_server,established; content:"Subject: AspireLogger ["; fast_pattern:only; metadata:ruleset 
community, service smtp; classtype:trojan-activity; sid:8999736; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,465,587] (msg:"MALWARE-CNC Win.Trojan.AspireLogger keylogger outbound 
SMTP connection"; flow:to_server,established; content:"PC:"; content:"IP:"; within:88; content:"Aspire"; 
metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8999737; rev:1;)
-----
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.QuasarRAT inbound SSL certificate exchange"; 
flow:to_client,established; content:"|55 04 03 0C|"; content:"Quasar Server CA"; distance:1; fast_pattern; 
metadata:ruleset community; classtype:trojan-activity; sid:8999738; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.QuasarRAT inbound connection"; 
flow:to_client,established; dsize:68; content:"|40 00 00 00|"; depth:4; fast_pattern; metadata:ruleset community; 
classtype:trojan-activity; sid:8999739; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.QuasarRAT IP address check"; 
flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| rv:48.0) Gecko/20100101 
Firefox/48.0|0D 0A|Host:"; fast_pattern:only; http_header; content:"Connection: Keep-Alive|0D 0A|"; http_header; 
content:!"Content"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8999740; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.QuasarRAT hidden HTTP request"; 
flow:to_server,established; ttl:65-128; content:"User-Agent: Mozilla/5.0 (Macintosh|3B| Intel Mac OS X 10_9_3) 
AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A|0D 0A|"; fast_pattern:only; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8999741; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: