[Snort-sigs] Quick Kuluoz sig

Joel Esler jesler at ...435...
Fri Aug 31 20:14:44 EDT 2012


Thanks James!

--
Joel Esler

On Aug 31, 2012, at 7:01 PM, James Lay <jlay at ...3266...> wrote:

> Got 3 minutes before I'm out for a three day ;)  Tired of searching for 
> these in email pcaps, so here's the rule:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
> Possible Kuluoz spamvertised URL in email"; flow:to_server,established; 
> content:"href=|22|http|3a 2f 2f|"; content:".htm|22|"; distance:0; 
> within:50; pcre:"/\x2f[A-Z]{10}\.htm\x22/ms"; metadata:policy 
> balanced-ips drop, policy security-ips drop, service smtp; 
> classtype:trojan-activity; 
> reference:url,http://blog.webroot.com/2012/08/31/cybercriminals-impersonate-ups-serve-malware; 
> sid:10000021; rev:1;)
> 
> Your mileage may vary...stacked up well in my testing.  Have a good 
> three day (for those in the USA) weekend all!!
> 
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list