[Snort-sigs] Quick uricontent question

James Lay jlay at ...3266...
Wed Sep 19 17:33:55 EDT 2012

On 2012-09-19 15:26, Joel Esler wrote:
> James, in this case %u and such are variable fields.  (The theme is
> digits and the siteID is also digits if it's the first report)
> So, what you'd want is something like this:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound
> communication"; flow:to_server,established;
> content:"/counter.img?theme="; nocase; http_uri; content:"&digits=";
> nocase; http_uri; distance:0; content:"&siteId="; nocase; http_uri;
> distance:0; pcre:"/theme\=\d+\&digits\=/Ui"; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx;
> classtype:trojan-activity;)
> Now, I haven't tested this against any pcaps or samples, I simply
> wrote this freehand by looking at the pdf you linked there.
> I'll do some testing and we'll try and get this (or something very
> similar) out.
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Thanks Joel...that was quick work!


More information about the Snort-sigs mailing list