[Snort-sigs] Zeus P2P-proxy sig
jlay at ...3266...
Fri Jun 7 15:33:03 EDT 2013
On 2013-06-07 13:30, Joel Esler wrote:
> On Jun 7, 2013, at 3:22 PM, James Lay <jlay at ...3266... >
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000
>> Zeus P2P-proxy C2 Write command"; flow:to_server,established;
>> content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf ;
>> classtype:trojan-activity; sid:10000075; rev:1;)
> Thanks James, yes we were looking at that this morning too. We've
> putting the IPs responsible for Zeus in our blacklist feed for
> sometime now. They are working great, we add about 2k a day. But this
> type of sig will help people find infections in their network they
> weren't aware of.
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
Thanks Joel...lot's of good info in that pdf.
More information about the Snort-sigs