merge files from the blockchain infra repo (#59)

2025-07-31 10:39:09 -04:00 · 2024-11-17 17:03:20 -08:00 · 2024-11-17 17:03:20 -08:00 · 2a6449bb85
commit 2a6449bb85
parent 23f56ef195
346 changed files with 29097 additions and 132 deletions
--- a/code/chef/templates/mac_os_x/osxmalware.rules.erb
+++ b/code/chef/templates/mac_os_x/osxmalware.rules.erb
@ -0,0 +1,12 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; content:"/stat_d/"; http_uri; pcre:"/\/stat_d\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145229; rev:4;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; content:"/stat_u/"; http_uri; pcre:"/\/stat_u\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145239; rev:3;)
+
+#
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; content:"/stat_n/"; http_uri; pcre:"/\/stat_n\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145249; rev:4;)
+
+#
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K first execution checkin"; flow:established,to_server; content:"/stat_svc/"; http_uri; pcre:"/\/stat_svc\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145259; rev:4;)
+
+#
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:20145349; rev:4;)