Snort mailing list archives
MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command (1:26839)
From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Tue, 9 Jun 2015 13:07:40 +0000
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 (msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1"; depth:25; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; ) The "service http;" clause causes this rule to ignore the "10000:30000" port directive and FP on port 80 - should it be removed so that the ports match? -- Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber Security
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command (1:26839) Rodgers, Anthony (DTMB) (Jun 09)