[Snort-sigs] Asprox sig

James Lay jlay at ...3266...
Tue Jul 9 16:15:08 EDT 2013


Didn't see this in the current list of rules, so here we go:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"msg:"MALWARE-CNC Asprox outbound connection"; 
flow:to_server,established; content:"?v="; http_uri; content:"&id="; 
http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; 
within:7; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/; 
classtype:trojan-activity; sid:10000085; rev:1;)

As usual, any thoughts/criticism is always helpful..thank you.

James




More information about the Snort-sigs mailing list