Snort mailing list archives
Re: Zeus P2P-proxy sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 07 Jun 2013 13:33:03 -0600
On 2013-06-07 13:30, Joel Esler wrote:
On Jun 7, 2013, at 3:22 PM, James Lay <jlay () slave-tothe-box net [2]> wrote:Yep. alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 (msg:"MALWARE-CNC Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf [1]; classtype:trojan-activity; sid:10000075; rev:1;)Thanks James, yes we were looking at that this morning too. We've been putting the IPs responsible for Zeus in our blacklist feed for sometime now. They are working great, we add about 2k a day. But this type of sig will help people find infections in their network they weren't aware of. -- JOEL ESLER Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Thanks Joel...lot's of good info in that pdf. James ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Zeus P2P-proxy sig James Lay (Jun 07)
- Re: Zeus P2P-proxy sig Joel Esler (Jun 07)
- Re: Zeus P2P-proxy sig James Lay (Jun 07)
- Re: Zeus P2P-proxy sig Joel Esler (Jun 07)