[Emerging-Sigs] Nitol-B

Travis Green tgreen at emergingthreats.net
Wed Dec 6 06:04:18 HST 2017


Thanks! We'll get this to QA for today's release.

-Travis

On Wed, Dec 6, 2017 at 3:33 AM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi.
>     Take a look at our collection of pcaps(52) with Nitol-B, as well as
> the rule for outgoing connections.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[PTsecurity] Botnet
> Nitol.B chekin";
> flow: established, to_server,no_stream;
> dsize:<400;
> content:"|000077000000|"; depth:30; fast_pattern;
> content:"MHz"; distance:0; within:350;
> content: "|0000 0000 0000 0000 0000 0000 0000 0000|"; depth:120;
> classtype: trojan-activity; sid: 10000898; rev: 3; )
>
> https://www.dropbox.com/sh/e72kj4phzs92zmf/AAD5UBX-qs1RImJCiOTDddBXa?dl=0
>
> Best regards,
> John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171206/cfee3145/attachment.html>


More information about the Emerging-sigs mailing list