[Snort-sigs] Quick Kuluoz sig

James Lay jlay at ...3266...
Fri Aug 31 19:01:22 EDT 2012


Got 3 minutes before I'm out for a three day ;)  Tired of searching for 
these in email pcaps, so here's the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
Possible Kuluoz spamvertised URL in email"; flow:to_server,established; 
content:"href=|22|http|3a 2f 2f|"; content:".htm|22|"; distance:0; 
within:50; pcre:"/\x2f[A-Z]{10}\.htm\x22/ms"; metadata:policy 
balanced-ips drop, policy security-ips drop, service smtp; 
classtype:trojan-activity; 
reference:url,http://blog.webroot.com/2012/08/31/cybercriminals-impersonate-ups-serve-malware; 
sid:10000021; rev:1;)

Your mileage may vary...stacked up well in my testing.  Have a good 
three day (for those in the USA) weekend all!!

James




More information about the Snort-sigs mailing list