def snortRule(md5, config_dict): rules = [] domain = config_dict["Domain"] ipPattern = re.compile("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") ipTest = ipPattern.search(domain) if len(domain) > 1: if ipTest: rules.append( """alert tcp any any -> """ + domain + """ any (msg: "ShadowTech Beacon Domain: """ + domain + """"; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)""" ) else: rules.append( """alert udp any any -> any 53 (msg: "ShadowTech Beacon Domain: """ + domain + """"; content:"|0e|""" + domain + """|00|"; nocase; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)""" ) rules.append( """alert tcp any any -> any 53 (msg: "ShadowTech Beacon Domain: """ + domain + """"; content:"|0e|""" + domain + """|00|"; nocase; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)""" ) database.insertSnort(md5, rules)
def snortRule(md5, conf): rules = [] domain = conf["Domain"] ipPattern = re.compile("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") ipTest = ipPattern.search(domain) if len(domain) > 1: if ipTest: rules.append('''alert tcp any any -> '''+domain+''' any (msg: "jRat Beacon Domain: '''+domain+'''"; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)''') else: rules.append('''alert udp any any -> any 53 (msg: "jRat Beacon Domain: '''+domain+'''"; content:"|0e|'''+domain+'''|00|"; nocase; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)''') rules.append('''alert tcp any any -> any 53 (msg: "jRat Beacon Domain: '''+domain+'''"; content:"|0e|'''+domain+'''|00|"; nocase; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)''') database.insertSnort(md5, rules)
def snortRule(md5, dict): rules = [] domain = dict["Domain"] ipPattern = re.compile("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") ipTest = ipPattern.search(domain) if len(domain) > 1: if ipTest: rules.append('''alert tcp any any -> '''+domain+''' any (msg: "VirusRat Beacon Domain: '''+domain+'''"; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)''') else: rules.append('''alert udp any any -> any 53 (msg: "VirusRat Beacon Domain: '''+domain+'''"; content:"|0e|'''+domain+'''|00|"; nocase; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)''') rules.append('''alert tcp any any -> any 53 (msg: "VirusRat Beacon Domain: '''+domain+'''"; content:"|0e|'''+domain+'''|00|"; nocase; classtype:trojan-activity; sid:5000000; rev:1; priority:1; reference:url,http://malwareconfig.com;)''') database.insertSnort(md5, rules)