<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">That won't work unless you have 443 in http_inspects config.<div><br></div><div>Just FYI.</div><div><br></div><div><span style="font-size: 12px; font-family: 'Lucida Grande'; ">--</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; "><b>Joel Esler</b></span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">Senior Research Engineer, VRT</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">OpenSource Community Manager</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">Sourcefire</span></div><div><font face="Lucida Grande"><br></font><div><div>On Dec 9, 2012, at 8:57 PM, Christopher Granger <<a href="mailto:chrisgrangerx@gmail.com">chrisgrangerx@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hi ET,<div><br></div><div>Trojan.Gatak is a Trojan that allows backdoor access. Some versions are able to spread via shared resources. </div><div><br></div><div>The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted. </div>
<div><br></div><div>Example requests:</div><div>/galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe</div><div>/galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj</div><div>/golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz</div>
<div><br></div><div><br></div><div>Proposed rule:</div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST Request to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"lfstream&"; nocase; http_uri; depth:12; pcre:"/\/g[oa]lfstream&/UAi"; reference: <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99">http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99</a>; classtype:trojan-activity; sid:XXXXXXX; rev:1;)</div>
<div><br></div><div>Regards,</div><div>-Chris</div>
_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs<br><br>Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com<br>The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!</blockquote></div><br></div></body></html>