[Snort-sigs] Magic Trojan
jlay at ...3266...
Thu Apr 18 14:46:27 EDT 2013
On 2013-04-18 12:03, Joel Esler wrote:
> On Apr 18, 2013, at 1:40 PM, James Lay <jlay at ...3266... >
>> Silly name, but eh:
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"SPECIFI-THREATS Magic Trojan"; flow:established,to_client;
>> file_data; content:"some_magic_code1"; depth:20; ; fast_pattern;
>> classtype:trojan-activity; sid:10000046; rev:1;)
> I cleaned the rule up and it will ship as SID: 26467.
> Thanks James!
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
Thanks Joel...as I look at it (SPECIFI??? REALLY???) my rules always
need cleaned ;)
More information about the Snort-sigs