Re: ....Fort Disco anyone?

[Joel Esler <jesler () sourcefire com>]

On Aug 8, 2013, at 3:58 PM, James Lay <jlay () slave-tothe-box net> wrote:
> On 2013-08-08 13:52, Joel Esler wrote:
> > Thanks James, I ran the samples and got a slightly better content match:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"MALWARE-CNC Fort Disco Registration outbound connection";
> > flow:to_server,established; content:"/cmd.php"; http_uri;
> > content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)";
> > fast_pattern:only; http_header; metadata:policy balanced-ips drop,
> > policy security-ips drop, ruleset community, service http;
> > reference:url,www.net-security.org/secworld.php?id=15370;
> > classtype:trojan-activity; sid:27599; rev:1;)
>
> Thanks Joel...I'll try and remember to include the UA on this type of thing.

Well, only if it’s static between samples.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!