Re: Zeus P2P-proxy sig

[James Lay <jlay () slave-tothe-box net>]

On 2013-06-07 13:30, Joel Esler wrote:
> On Jun 7, 2013, at 3:22 PM, James Lay <jlay () slave-tothe-box net [2]>
> wrote:
>
> > Yep.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000
> > (msg:"MALWARE-CNC
> > Zeus P2P-proxy C2 Write command"; flow:to_server,established;
> > content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy
> > balanced-ips drop, policy security-ips drop, service http;
> > reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf [1];
> > classtype:trojan-activity; sid:10000075; rev:1;)
>
> Thanks James, yes we were looking at that this morning too. We've 
> been
> putting the IPs responsible for Zeus in our blacklist feed for
> sometime now. They are working great, we add about 2k a day. But this
> type of sig will help people find infections in their network they
> weren't aware of.
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Thanks Joel...lot's of good info in that pdf.

James

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!