[Snort-sigs] Quick uricontent question

James Lay jlay at ...3266...
Wed Sep 19 17:33:55 EDT 2012


On 2012-09-19 15:26, Joel Esler wrote:
> James, in this case %u and such are variable fields.  (The theme is
> digits and the siteID is also digits if it's the first report)
>
> So, what you'd want is something like this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound
> communication"; flow:to_server,established;
> content:"/counter.img?theme="; nocase; http_uri; content:"&digits=";
> nocase; http_uri; distance:0; content:"&siteId="; nocase; http_uri;
> distance:0; pcre:"/theme\=\d+\&digits\=/Ui"; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> 
> reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx;
> classtype:trojan-activity;)
>
> Now, I haven't tested this against any pcaps or samples, I simply
> wrote this freehand by looking at the pdf you linked there.
>
> I'll do some testing and we'll try and get this (or something very
> similar) out.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Thanks Joel...that was quick work!

James





More information about the Snort-sigs mailing list