Snort mailing list archives
Expiro sigs
From: Y M <snort () outlook com>
Date: Thu, 14 Nov 2013 15:12:39 +0000
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; http_header; pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf; classtype:trojan-activity; sid:100109; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; http_header; pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf; classtype:trojan-activity; sid:100111; rev:1;) Any help with the pcre is highly appreciated. Also from the reference, its not 100% clear to me if the uri of length (13-20) is actually associated with POST request. Thanks.YM
------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Expiro sigs Y M (Nov 14)
- Re: Expiro sigs Geoffrey Serrao (Nov 14)
- Re: Expiro sigs Y M (Nov 14)
- Re: Expiro sigs Y M (Nov 14)
- Re: Expiro sigs Y M (Nov 14)
- Re: Expiro sigs Carlos Pacho (Nov 14)
- Re: Expiro sigs Geoffrey Serrao (Nov 14)