Re: April 9th compiled Zeus debug upload

[Joel Esler <jesler () sourcefire com>]

James,

Is 25050 not catching this?  Just for clarification?


On May 17, 2013, at 10:04 AM, James Lay <jlay () slave-tothe-box net> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Win.Trojan.Zeus April 9th 2013 variant data upload"; 
> flow:to_server,established; content:"POST"; http_method; 
> content:"|2f|test|2f|debug.php"; http_uri; metadata:impact_flag red, 
> policy security-ips drop, ruleset community, service http; 
> reference:url,http://securityblog.s21sec.com/2013/05/testing-your-zeus-variant.html; 
> classtype:trojan-activity; sid:10000062; rev:1;)
>
> James
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!