Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Zbot variant sigs

From: Y M <snort () outlook com>
Date: Fri, 11 Oct 2013 21:15:01 +0000
Hi Joel,
You are absolutely right. Reading your comment and revising the rule as well as reading the file_data documentation 
again now I see why. I misinterpreted the purpose of the file_data. I went back to the test box and the part 
(file_data; content:"swift_copy.exe") is not included in the rule, I added it afterwards, hmmm...
That part certainly needs to go away. Thanks for pointing it out and explaining it.YM

Subject: Re: [Snort-sigs] Zbot variant sigs
From: jesler () sourcefire com
Date: Fri, 11 Oct 2013 14:21:56 -0400
CC: snort-sigs () lists sourceforge net
To: snort () outlook com

On Oct 10, 2013, at 4:43 AM, Y M <snort () outlook com> wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from 
phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; 
metadata: policy security-ips drop, ruleset community, service http; 
reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/;
 classtype:trojan-activity; sid:100060; rev:1;)
That shouldn’t work, you have an outbound rule, but you are looking for the file being downloaded in the return 
(“file_data; content:”swift_copy.exe”)
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
AEGIS Intelligence Lead                                           
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: