[Snort-sigs] Zeus P2P-proxy sig

Joel Esler jesler at ...435...
Fri Jun 7 15:30:34 EDT 2013


On Jun 7, 2013, at 3:22 PM, James Lay <jlay at ...3266...> wrote:

> Yep.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 (msg:"MALWARE-CNC 
> Zeus P2P-proxy C2 Write command"; flow:to_server,established; 
> content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy 
> balanced-ips drop, policy security-ips drop, service http; 
> reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; 
> classtype:trojan-activity; sid:10000075; rev:1;)


Thanks James, yes we were looking at that this morning too.  We've been putting the IPs responsible for Zeus in our blacklist feed for sometime now.  They are working great, we add about 2k a day.  But this type of sig will help people find infections in their network they weren't aware of.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130607/b5ff3e43/attachment.html>


More information about the Snort-sigs mailing list