Snort mailing list archives
Re: C2 - Zeus?
From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Fri, 14 Jun 2013 07:52:32 +0000
Joel, Have a look here: http://urlquery.net/search.php?q=%5C%2Fimages%5C%2F%5Ba-zA-Z%5D%7B1%7D%5C.php%5C%3Fid%5C%3D%5B0-9%5D%7B2%2C%7D&type=regexp&start=2013-05-29&end=2013-06-13&max=50 Those 3 domains are definitely C2 servers (I've seen them all in pcaps I have)... there are probably more... so looking at the URL pattern its either 2 or 3 digits, and an optional period at the end, so you can probably change it yes. I can send you a pcap I have directly if you like? Thanks, Paul From: Joel Esler [mailto:jesler () sourcefire com] Sent: 13 June 2013 18:46 To: Paul Bottomley Cc: Snort-sigs Subject: Re: [Snort-sigs] C2 - Zeus? Paul, A couple comments, In your pcre you end with "id\=[0-9]{2,}", is there something after the two digits? or does it end there? (Can we do "id\=[0-9]{2}$") As it stands right there, "2," will keep searching on and on. Also, [a-zA-Z]{1}... The {1} is unnecessary in this case. Any pcaps here? On Jun 13, 2013, at 7:28 AM, Paul Bottomley <Paul.Bottomley () betfair com<mailto:Paul.Bottomley () betfair com>> wrote: Might need running in your test lab for a week or so to see what it picks up... From observation so no reference. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:established,to_server; content:"/images/"; fast_pattern:only; http_uri; pcre:"/\/images\/[a-zA-Z]{1}\.php\?id\=[0-9]{2,}/Ui"; classtype:trojan-activity; sid:xxxxxx; rev:1;) Thanks ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ ------------------------------------------------------------------------------ This SF.net<http://SF.net> email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- C2 - Zeus? Paul Bottomley (Jun 13)
- Re: C2 - Zeus? Joel Esler (Jun 13)
- [SPAM] Re: C2 - Zeus? rmkml (Jun 13)
- Re: C2 - Zeus? Paul Bottomley (Jun 14)
- Re: C2 - Zeus? Joel Esler (Jun 14)
- Re: C2 - Zeus? Joel Esler (Jun 13)