'[Snort-sigs] Detection for "niki-bot" and "Awesome Screenshot URL" spyware'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Detection for "niki-bot" and "Awesome Screenshot URL" spyware
From:       Tony Robinson <deusexmachina667 () gmail ! com>
Date:       2014-08-14 15:52:54
Message-ID: CAOGUb=hyPK4Mrts2vSpQmttoRAkhSwJmjNRqF4CJ91JcQd8+Jw () mail ! gmail ! com
[Download RAW message or body]

Source: https://mig5.net/content/awesome-screenshot-and-niki-bot

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST
USER-AGENT niki-bot"; flow:to_server,established;
content:"User-Agent|3A| niki-bot"; fast_pattern:only; http_header;
metadata:policy security-ips drop, service http;
classtype:attempted-recon;
reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI POST request to /service2"; flow:to_server,established;
content:"POST"; http_method; content:"/service2"; fast_pattern:only;
http_uri; metadata:policy security-ips drop, service http;
classtype:successful-recon-limited;
reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
sid:1000001; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain s1821.crdui.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|s1821|05|crdui|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
classtype:attempted-recon; sid:1000002; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for
known malware domain webovernet.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|webovernet|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
service dns; reference:url,mig5.net/content/awesome-screenshot-and-niki-bot;
classtype:attempted-recon; sid:1000003; rev:1;)

-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic