Snort mailing list archives
Re: Snort-sigs Digest, Vol 85, Issue 22
From: John Cal <cal220101 () gmail com>
Date: Wed, 26 Jun 2013 17:11:12 -0500
On Wed, Jun 26, 2013 at 2:28 PM, <snort-sigs-request () lists sourceforge net>wrote:
Yippee alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC W32.Trojan.PinkStats outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; http_header; content:"/count.asp?mac="; http_uri; content:"&ver="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html ; classtype:trojan-activity; sid:10000083; rev:1;) Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania James
James, are there any benefits to having your rule match the URI content before the UA content? I might need to read some additional material to understand the order on how a signature is read by Snort, but the correct flow would have the URI before the UA header, correct?
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-sigs Digest, Vol 85, Issue 22 John Cal (Jun 26)
- Re: Snort-sigs Digest, Vol 85, Issue 22 James Lay (Jun 26)
- Re: Snort-sigs Digest, Vol 85, Issue 22 Joel Esler (Jun 26)
- Re: Snort-sigs Digest, Vol 85, Issue 22 James Lay (Jun 26)