[Snort-sigs] Asprox sig

lists at ...3397... lists at ...3397...
Tue Jul 9 16:23:39 EDT 2013


On 07/09/2013 03:15 PM, James Lay wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"msg:"MALWARE-CNC Asprox outbound connection"; 
> flow:to_server,established; content:"?v="; http_uri; content:"&id="; 
> http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; 
> within:7; metadata:impact_flag red, policy balanced-ips drop, policy 
> security-ips drop, service http; 
> reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/; 
> classtype:trojan-activity; sid:10000085; rev:1;)

I recommend we had some negations to avoid some falses, for example, the lack of
proper headers is pretty bogus.  Header ordering is pretty important too, so I'd
probably do this:

content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only;
content!:"Accept"; http_header; {the rest of your content matches for HTTP URI}

Good stuff James, as always.

Cheers,
Nathan





More information about the Snort-sigs mailing list