alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_user_agent; fast_pattern:only; metadata: former_category POLICY; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Audit, created_at 2011_08_24, updated_at 2017_10_12;)

Added 2017-10-13 16:25:25 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_user_agent; fast_pattern:only; metadata: former_category POLICY; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Audit, created_at 2011_08_24, updated_at 2017_10_12;)

Added 2017-10-12 16:20:33 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_user_agent; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Major, created_at 2011_08_24, updated_at 2016_07_01;)

Added 2017-08-07 21:06:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*BitCoin/Hi"; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:2;)

Added 2011-10-12 19:36:54 UTC

FP - this finds the BitCoin? client, possibly a miner too, but definitely a client

Data:

GET /peers HTTP/1.1 User-Agent: /bitcoinj:0.14.3/ Host: httpseed.bitcoin.schildbach.de Connection: Keep-Alive

-- JimMcKibben - 2016-08-15


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin? User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*BitCoin/Hi"; classtype:trojan-activity; reference:url,isc.sans.edu/diary.html?storyid=11059; sid:2013457; rev:2;)

Added 2011-08-24 16:56:01 UTC


Topic revision: r2 - 2016-08-15 - JimMcKibben
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats