Snort mailing list archives
Re: Zbot variant sigs
From: Y M <snort () outlook com>
Date: Fri, 11 Oct 2013 21:15:01 +0000
Hi Joel, You are absolutely right. Reading your comment and revising the rule as well as reading the file_data documentation again now I see why. I misinterpreted the purpose of the file_data. I went back to the test box and the part (file_data; content:"swift_copy.exe") is not included in the rule, I added it afterwards, hmmm... That part certainly needs to go away. Thanks for pointing it out and explaining it.YM Subject: Re: [Snort-sigs] Zbot variant sigs From: jesler () sourcefire com Date: Fri, 11 Oct 2013 14:21:56 -0400 CC: snort-sigs () lists sourceforge net To: snort () outlook com On Oct 10, 2013, at 4:43 AM, Y M <snort () outlook com> wrote: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;) That shouldn’t work, you have an outbound rule, but you are looking for the file being downloaded in the return (“file_data; content:”swift_copy.exe”) -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager AEGIS Intelligence Lead
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Zbot variant sigs Y M (Oct 10)
- Re: Zbot variant sigs Y M (Oct 10)
- Re: Zbot variant sigs Joel Esler (Oct 11)
- Re: Zbot variant sigs Y M (Oct 11)