Bisonha C&C activity

[Paul Bottomley <Paul.Bottomley () betfair com>]

Afternoon,

3001 is the only static match I can find... there may be something better to use?
I've included {262,304} given there are 42 zeros at offset 0x83 and not sure if they are always used?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bisonha C&C activity"; flow:to_server,established; 
content:"3001"; fast_pattern; http_uri; pcre:"/3001[0-9A-F]{262,304}/U"; metadata:impact_flag red, policy balanced-ips 
drop, policy security-ips drop, ruleset community, service http; reference:url,http://bl0g.cedricpernet.net/; 
classtype:trojan-activity; sid:xxxxx; rev:1;)


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!