Re: Zeus P2P-proxy sig

[Joel Esler <jesler () sourcefire com>]

On Jun 7, 2013, at 3:22 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Yep.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 (msg:"MALWARE-CNC 
> Zeus P2P-proxy C2 Write command"; flow:to_server,established; 
> content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; 
> classtype:trojan-activity; sid:10000075; rev:1;)


Thanks James, yes we were looking at that this morning too.  We've been putting the IPs responsible for Zeus in our 
blacklist feed for sometime now.  They are working great, we add about 2k a day.  But this type of sig will help people 
find infections in their network they weren't aware of.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!