[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"

Joel Esler jesler at ...435...
Mon Mar 12 14:39:07 EDT 2012

Nathan --

I rewrote the rule as such:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:1;)
Do you see anything wrong there?  I tested it against the pcap you sent us as well as an internally generated pcap against the family of malware. And it fires fine.


On Mar 12, 2012, at 10:16 AM, Community Proposed wrote:

> SPECIFIC-THREATS - Bredolab infected asset POSTing check-in";
> flow:to_server,established; content:"POST"; http_method; content:"User-Agent:
> Mozilla/4.0|0d 0a|Host: "; http_header; file_data; content:"smk=";
> pcre:"/^smk=[^&\?]+/"; classtype:trojan-activity; sid:x; rev:1;)
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120312/a6eea759/attachment.html>

More information about the Snort-sigs mailing list