Snort mailing list archives
Re: Zbot variant sigs
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 11 Oct 2013 14:21:56 -0400
On Oct 10, 2013, at 4:43 AM, Y M <snort () outlook com> wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)
That shouldn’t work, you have an outbound rule, but you are looking for the file being downloaded in the return (“file_data; content:”swift_copy.exe”) -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager AEGIS Intelligence Lead
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Zbot variant sigs Y M (Oct 10)
- Re: Zbot variant sigs Y M (Oct 10)
- Re: Zbot variant sigs Joel Esler (Oct 11)
- Re: Zbot variant sigs Y M (Oct 11)