Asprox sig

[James Lay <jlay () slave-tothe-box net>]

Didn't see this in the current list of rules, so here we go:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"msg:"MALWARE-CNC Asprox outbound connection"; 
flow:to_server,established; content:"?v="; http_uri; content:"&id="; 
http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; 
within:7; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/; 
classtype:trojan-activity; sid:10000085; rev:1;)

As usual, any thoughts/criticism is always helpful..thank you.

James

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!