[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"
lists at ...3397...
Mon Mar 12 14:45:04 EDT 2012
On 03/12/12 13:39, Joel Esler wrote:
> Nathan --
> I rewrote the rule as such:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/ <http://www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/>; classtype:trojan-activity; sid:21562; rev:1;)
> Do you see anything wrong there? I tested it against the pcap you sent
> us as well as an internally generated pcap against the family of
> malware. And it fires fine.
I think this is better way to have written this, thanks. The abnormal
header ordering and UA is unique enough coupled with the HTTP POST
payload we should not see false positives.
It didn't occur to me to use 'depth:4; http_client_body;' as a way to
avoid the unnecessary PCRE.
More information about the Snort-sigs