[Snort-sigs] Quick uricontent question

James Lay jlay at ...3266...
Wed Sep 19 16:32:29 EDT 2012


So...doing some reading:

http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx

 From the text:

The first phone home mechanism is through a specially crafted HTTP Get 
Request that
takes the following form:

GET /<unique ID>/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1\r\n
Host: <hostname>\r\n
User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)

So far here's what I have:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"INDICATOR-COMPROMISE ZeroAccess phone home"; 
content:"User-Agent|3a| Opera/9"; http_header; 
uricontent:"/counter.img?theme=";

As I am reading the info on uricontent, the content is already 
normalized...does that mean I don't have to hex anything with 
"/counter.img?theme="?  Or does it matter.  Thanks all.

James




More information about the Snort-sigs mailing list