Possible Rule Change

[eric gonzalez <eric.y.gonzalez () gmail com>]

Hello,

I was wondering if I could suggest changing the regex within the
rule MALWARE-CNC Win.Trojan.Asprox outbound connection attempt.

You currently have it listed
as /\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U. That is catching
good activity however, we ran the following against all of our data and
found that we are getting more matches on the following regex rule:

\/[a-z]{1,2}\/[a-z0-9]{8,10}\/[a-z0-9]{30,35}\/AA\/[0-9]$

With the regex in the rule we are matching on 110/357 attempts related to
this activity. With the latter one we are matching on the full 357 logs
containing hits for Asprox like URLs.

Regards,
Eric

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!