Snort mailing list archives
Re: Quick Kuluoz sig
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 31 Aug 2012 20:14:44 -0400
Thanks James! -- Joel Esler On Aug 31, 2012, at 7:01 PM, James Lay <jlay () slave-tothe-box net> wrote:
Got 3 minutes before I'm out for a three day ;) Tired of searching for these in email pcaps, so here's the rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS Possible Kuluoz spamvertised URL in email"; flow:to_server,established; content:"href=|22|http|3a 2f 2f|"; content:".htm|22|"; distance:0; within:50; pcre:"/\x2f[A-Z]{10}\.htm\x22/ms"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; reference:url,http://blog.webroot.com/2012/08/31/cybercriminals-impersonate-ups-serve-malware; sid:10000021; rev:1;) Your mileage may vary...stacked up well in my testing. Have a good three day (for those in the USA) weekend all!! James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick Kuluoz sig James Lay (Aug 31)
- Re: Quick Kuluoz sig Joel Esler (Aug 31)