[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Pawn Storm sig
From:       James Lay <jlay () slave-tothe-box ! net>
Date:       2015-02-04 19:11:01
Message-ID: ff05ba7b7f577e7a57140aff985e484f () localhost
[Download RAW message or body]

YAY:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Pawn Storm UA (XAgent)"; flow:to_server,established; 
content:"User-Agent|3a| XAgent"; http_header; fast_pattern:only; 
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found; \
 classtype:trojan-activity; sid:10000149; rev:1;)

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/


Sanity checked only.

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]