Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 12 Mar 2012 14:39:07 -0400
Nathan -- I rewrote the rule as such: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:1;) Do you see anything wrong there? I tested it against the pcap you sent us as well as an internally generated pcap against the family of malware. And it fires fine. J On Mar 12, 2012, at 10:16 AM, Community Proposed wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent: Mozilla/4.0|0d 0a|Host: "; http_header; file_data; content:"smk="; pcre:"/^smk=[^&\?]+/"; classtype:trojan-activity; sid:x; rev:1;) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Community Proposed (Mar 12)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Community Proposed (Mar 12)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Joel Esler (Mar 12)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Community Signatures (Mar 12)