[Snort-sigs] C2 - Zeus?

Paul Bottomley Paul.Bottomley at ...3813...
Thu Jun 13 07:28:05 EDT 2013


Might need running in your test lab for a week or so to see what it picks up... From observation so no reference.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:established,to_server; content:"/images/"; fast_pattern:only; http_uri; pcre:"/\/images\/[a-zA-Z]{1}\.php\?id\=[0-9]{2,}/Ui"; classtype:trojan-activity; sid:xxxxxx; rev:1;)

Thanks

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130613/cb39fd35/attachment.html>


More information about the Snort-sigs mailing list