[Emerging-Sigs] Mirai negations

Francis Trudeau trudeauf at gmail.com
Mon Jun 15 11:02:12 HDT 2020


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/Mirai
Variant UA Outbound (Ouija_x.86)"; flow:established,to_server;
content:"User-Agent|3a 20|Ouija"; http_header; content:!"OuijaBoadWigi";
http_user_agent;  metadata: former_category MALWARE;
classtype:trojan-activity; sid:2028990; rev:4; metadata:affected_product
Linux, attack_target Client_Endpoint, deployment Perimeter,
signature_severity Major, created_at 2019_11_18, updated_at 2019_12_31;)

Please:

's/Boad/Board/g'

in the UA negation and please add the same negation to 2839469:  "ETPRO
TROJAN Observed ELF/Mirai Variant UA Inbound (Ouija_x.86)"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200615/6e75991a/attachment.html>


More information about the Emerging-sigs mailing list