[Snort-sigs] Zeus P2P-proxy sig

James Lay jlay at ...3266...
Fri Jun 7 15:33:03 EDT 2013


On 2013-06-07 13:30, Joel Esler wrote:
> On Jun 7, 2013, at 3:22 PM, James Lay <jlay at ...3266... [2]>
> wrote:
>
>> Yep.
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000
>> (msg:"MALWARE-CNC
>> Zeus P2P-proxy C2 Write command"; flow:to_server,established;
>> content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf [1];
>> classtype:trojan-activity; sid:10000075; rev:1;)
>
> Thanks James, yes we were looking at that this morning too. We've 
> been
> putting the IPs responsible for Zeus in our blacklist feed for
> sometime now. They are working great, we add about 2k a day. But this
> type of sig will help people find infections in their network they
> weren't aware of.
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Thanks Joel...lot's of good info in that pdf.

James




More information about the Snort-sigs mailing list