-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathwCry-Ransomware.rules
14 lines (9 loc) · 1.54 KB
/
wCry-Ransomware.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#
# Callback rule for Terminaion URL used by wCry malware.
#
alert udp $HOME_NET any -> any 53 (msg:"wCry Ransomware - Termination URL Call"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|29|iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea|03|com|00|"; distance:0; fast_pattern; classtype:trojan-activity; sid:5000090; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"wCry Ransomware - Termination URL Call"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|29|ifferfsodp9ifjaposdfjhgosurijfaewrwergwea|03|com|00|"; distance:0; fast_pattern; classtype:trojan-activity; sid:5000091; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"wCry Ransomware - Termination URL Call"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|29|ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf|03|com|00|"; distance:0; fast_pattern; classtype:trojan-activity; sid:5000092; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"wCry Ransomware - Termination URL Call"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|29|iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea|03|com|00|"; distance:0; fast_pattern; classtype:trojan-activity; sid:5000093; rev:1;)
# This domain needs to remain UNSINKHOLED - Worm will propagate if sinkholed.
alert udp $HOME_NET any -> any 53 (msg:"wCry Ransomware - Activation URL Call"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|29|ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf|03|com|00|"; distance:0; fast_pattern; classtype:trojan-activity; sid:5000094; rev:1;)