[Snort-sigs] Syndicasec Stage Two traffic sig

Joel Esler jesler at ...435...
Mon Jun 3 16:06:52 EDT 2013


Thanks James:

26810


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On May 23, 2013, at 5:52 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-05-23 15:38, rmkml wrote:
>> Hi James,
>> 
>> Big thx you again for sharing malware rules!
>> 
>> Warn: change http_uri to http_client_body please
>> 
>> content HTTP/1.0 with http_header not fire for me.
>> 
>> Regards
>> @Rmkml
> 
> Thanks Rm...good catch..how's this lookin:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established; 
> content:"POST"; http_method; content:"HTTP/1.0"; 
> content:"cstype=server|26|authname="; http_client_body; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin; 
> classtype:trojan-activity; sid:10000072; rev:2;)
> 
> James
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130603/7bfccaf6/attachment.html>


More information about the Snort-sigs mailing list