Snort mailing list archives
Re: Syndicasec Stage Two traffic sig
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 23 May 2013 15:52:04 -0600
On 2013-05-23 15:38, rmkml wrote:
Hi James, Big thx you again for sharing malware rules! Warn: change http_uri to http_client_body please content HTTP/1.0 with http_header not fire for me. Regards @Rmkml
Thanks Rm...good catch..how's this lookin: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established; content:"POST"; http_method; content:"HTTP/1.0"; content:"cstype=server|26|authname="; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin; classtype:trojan-activity; sid:10000072; rev:2;) James ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Syndicasec Stage Two traffic sig James Lay (May 23)
- Re: Syndicasec Stage Two traffic sig rmkml (May 23)
- Re: Syndicasec Stage Two traffic sig James Lay (May 23)
- Re: Syndicasec Stage Two traffic sig Joel Esler (Jun 03)
- Re: Syndicasec Stage Two traffic sig James Lay (May 23)
- Re: Syndicasec Stage Two traffic sig rmkml (May 23)