[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"

Community Signatures lists at ...3397...
Mon Mar 12 14:45:04 EDT 2012

On 03/12/12 13:39, Joel Esler wrote:
> Nathan --
> I rewrote the rule as such:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/ <http://www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/>; classtype:trojan-activity; sid:21562; rev:1;)
> Do you see anything wrong there?  I tested it against the pcap you sent
> us as well as an internally generated pcap against the family of
> malware. And it fires fine.

I think this is better way to have written this, thanks.  The abnormal
header ordering and UA is unique enough coupled with the HTTP POST
payload we should not see false positives.

It didn't occur to me to use 'depth:4; http_client_body;' as a way to
avoid the unnecessary PCRE.

Thanks Joel!


More information about the Snort-sigs mailing list