Snort mailing list archives

Previous By Date Next
Previous By Thread Next

MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command (1:26839)

From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Tue, 9 Jun 2015 13:07:40 +0000
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 (msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; 
flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1"; depth:25; metadata:policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; 
classtype:trojan-activity; sid:26839; rev:1; )

The "service http;" clause causes this rule to ignore the "10000:30000" port directive and FP on port 80 - should it be 
removed so that the ports match?

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security


------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: