[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Win.Trojan.CowerSnail signatures
From:       Tyler Montier <tmontier () sourcefire ! com>
Date:       2017-07-31 13:30:53
Message-ID: CACH8kzFDkXvSvL5AGOYj3rnSzHA401mjait7zm8GBDy7+5DyLQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Thanks,

Tyler Montier
Cisco Talos

On Mon, Jul 31, 2017 at 8:35 AM, Y M via Snort-sigs <
snort-sigs@lists.snort.org> wrote:

> Hello,
>
>
> Another set of signatures derived from references. A pcap was downloaded
> from the reference and tested against.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
> Win.Trojan.CowerSnail outbound connection attempt";
> flow:to_server,established; content:"+CHANNEL|0B|"; fast_pattern:only;
> content:"line-client"; distance:0; reference:url,securelist.com/
> cowersnail-from-the-creators-of-sambacry/79087/; reference:url,www.hybrid-
> analysis.com/sample/3fb8a4d2ed4f662a4cb4270bb5f488
> b79c8758aa6fc5c8b119c78fba38d6b7d1; metadata:ruleset community;
> classtype:trojan-activity; sid:110002; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
> Win.Trojan.CowerSnail outbound connection attempt";
> flow:to_client,established; content:"R|00|e|00|q|00|u|00|e|00|s|00|t|00|";
> fast_pattern:only; content:"|00|a|00|r|00|g|00|"; distance:0;
> content:"|00|t|00|y|00|p|00|e|00|"; distance:0; reference:url,
> securelist.com/cowersnail-from-the-creators-of-sambacry/79087/;
> reference:url,www.hybrid-analysis.com/sample/
> 3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1;
> metadata:ruleset community; classtype:trojan-activity; sid:110003; rev:1;)
>
> Thanks.
>
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>

[Attachment #5 (text/html)]

<div dir="ltr">Yaser,<div><br></div><div>Thanks for your submission. We will review \
the rules and get back to you when they&#39;re \
finished.</div><div><br></div><div>Thanks,</div><div><br></div><div>Tyler \
Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Mon, Jul 31, 2017 at 8:35 AM, Y M via Snort-sigs <span \
dir="ltr">&lt;<a href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">




<div dir="ltr">
<div id="m_6443857059197605407divtagdefaultwrapper" \
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" \
dir="ltr"> <p><span style="font-size:11pt">Hello,</span></p>
<p><br>
</p>
<p><span style="font-size:11pt">Another set of signatures derived from references. A \
pcap was downloaded from the reference and tested against.</span></p> <p><br>
</p>
<p></p>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace">alert tcp \
$HOME_NET any -&gt; $EXTERNAL_NET any (msg:&quot;MALWARE-CNC Win.Trojan.CowerSnail \
outbound connection attempt&quot;; flow:to_server,established; \
content:&quot;+CHANNEL|0B|&quot;; fast_pattern:only;  \
content:&quot;line-client&quot;; distance:0; reference:url,<a \
href="http://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" \
target="_blank">securelist.com/<wbr>cowersnail-from-the-creators-<wbr>of-sambacry/79087/</a>; \
reference:url,<a href="http://www.hybrid-analysis.com/sample/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1" \
target="_blank">www.hybrid-<wbr>analysis.com/sample/<wbr>3fb8a4d2ed4f662a4cb4270bb5f488<wbr>b79c8758aa6fc5c8b119c78fba38d6<wbr>b7d1</a>; \
metadata:ruleset community; classtype:trojan-activity;  sid:110002; \
rev:1;)</span></div> <div><span \
style="font-size:10pt;font-family:Consolas,Courier,monospace"><br> </span></div>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace">alert tcp \
$EXTERNAL_NET any -&gt; $HOME_NET any (msg:&quot;MALWARE-CNC Win.Trojan.CowerSnail \
outbound connection attempt&quot;; flow:to_client,established; \
content:&quot;R|00|e|00|q|00|u|00|<wbr>e|00|s|00|t|00|&quot;;  fast_pattern:only; \
content:&quot;|00|a|00|r|00|g|00|&quot;; distance:0; \
content:&quot;|00|t|00|y|00|p|00|e|<wbr>00|&quot;; distance:0; reference:url,<a \
href="http://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" \
target="_blank">securelist.com/<wbr>cowersnail-from-the-creators-<wbr>of-sambacry/79087/</a>; \
reference:url,<a href="http://www.hybrid-analysis.com/sample/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1" \
target="_blank">www.hybrid-<wbr>analysis.com/sample/<wbr>3fb8a4d2ed4f662a4cb4270bb5f488<wbr>b79c8758aa6fc5c8b119c78fba38d6<wbr>b7d1</a>;
  metadata:ruleset community; classtype:trojan-activity; sid:110003; \
rev:1;)</span></div> <br>
<p></p>
<p><span style="font-size:11pt">Thanks.</span></p><span class="HOEnZb"><font \
color="#888888"> <p><span style="font-size:11pt">YM</span></p>
</font></span></div>
</div>

<br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org">Snort-sigs@lists.snort.org</a><br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-sigs</a><br> <br>
<a href="http://www.snort.org" rel="noreferrer" \
target="_blank">http://www.snort.org</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most &lt;a href=&quot; <a \
href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" \
target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>&quot;&gt;emerging \
threats&lt;/a&gt;!<br> <br></blockquote></div><br></div>



_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic