alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*BitCoin/Hi"; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:2;)

Added 2011-10-12 19:36:54 UTC

FP - this finds the BitCoin? client, possibly a miner too, but definitely a client

Data:

GET /peers HTTP/1.1 User-Agent: /bitcoinj:0.14.3/ Host: httpseed.bitcoin.schildbach.de Connection: Keep-Alive

-- JimMcKibben - 2016-08-15


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*BitCoin/Hi"; classtype:trojan-activity; reference:url,isc.sans.edu/diary.html?storyid=11059; sid:2013457; rev:2;)

Added 2011-08-24 16:56:01 UTC


Topic revision: r2 - 2016-08-15 - JimMcKibben
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats