[Snort-sigs] Asprox sig
jlay at ...3266...
Tue Jul 9 16:15:08 EDT 2013
Didn't see this in the current list of rules, so here we go:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"msg:"MALWARE-CNC Asprox outbound connection";
flow:to_server,established; content:"?v="; http_uri; content:"&id=";
http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri;
within:7; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http;
classtype:trojan-activity; sid:10000085; rev:1;)
As usual, any thoughts/criticism is always helpful..thank you.
More information about the Snort-sigs