-
Notifications
You must be signed in to change notification settings - Fork 7
/
snort_signatures.txt
5 lines (3 loc) · 1.8 KB
/
snort_signatures.txt
1
2
3
4
5
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Ponmocup HTTP Request (generic)"; flow:established,to_server; content:"Accept: */*|0d 0a|";fast_ pattern;http_header; content:"Pragma|3a| no-cache|0d 0a|";http_header; content:"Cache- Control|3a| no-cache|0d 0a|";http_header; content:!"Referer|3a|";http_header; content:"Cookie|3a| ";http_header; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\ x2e\d{1,3}\r\n/Hm"; content:!"Accept-Encoding|3a| ";http_header; content:!"Accept-Language|3a| ";http_header; content:!"Content-Type|3a| ";http_header; reference:url,http://blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; threshold:type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; priority:1; sid:21001533; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - Ponmocup plugin-specific check-in"; content:"GET"; http_method; content:"HTTP/1.1|0d0a|Accept: */*"; distance:0; content:"Content-Type: application/x-www-form-urlencoded"; fast_pattern; distance:0; pcre:"/Host: ([0-9]{1,3}\.){3}[0-9]{1,3}\x0d/R"; content:"User-Agent: Mozilla/4."; distance:0; content:"Cookie: "; pcre:"/Cookie: [a-z0-9]{1,10}=[a-z0-9+/]{20,500} (=){0,2}/iR"; urilen:<50,norm; content:!"Referer"; threshold:type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; reference:url,http://blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; sid:21001686; rev:2;)
alert udp $HOME_NET $SIP_PORTS -> any any (msg:"FOX-SRT - Trojan - Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,http://blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; sid:21001493; classtype:trojan-activity; rev:1;)