Snort mailing list archives
Possible Rule Change
From: eric gonzalez <eric.y.gonzalez () gmail com>
Date: Thu, 29 Jan 2015 14:52:50 -0500
Hello, I was wondering if I could suggest changing the regex within the rule MALWARE-CNC Win.Trojan.Asprox outbound connection attempt. You currently have it listed as /\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U. That is catching good activity however, we ran the following against all of our data and found that we are getting more matches on the following regex rule: \/[a-z]{1,2}\/[a-z0-9]{8,10}\/[a-z0-9]{30,35}\/AA\/[0-9]$ With the regex in the rule we are matching on 110/357 attempts related to this activity. With the latter one we are matching on the full 357 logs containing hits for Asprox like URLs. Regards, Eric
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible Rule Change eric gonzalez (Jan 29)
- Re: Possible Rule Change Y M (Jan 29)