[Snort-sigs] Trojan.APT.Seinup sig with pcre help request

James Lay jlay at ...3266...
Wed Jun 19 14:07:17 EDT 2013


This one hurt my head:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Trojan.Win32.APT.Seinup outbound connection"; 
flow:to_server,established; content:"php|3f|"; http_uri; 
pcre:"/\x2ephp\x3fa-z0-9]{11,13}=[a-z0-9]{3,7}\x26/"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; 
classtype:trojan-activity; sid:10000081; rev:1;)

Is that PCRE too beefy?  I didn't go the full length of the url..it's 
pretty nuts.  Thanks for any help on this all.

James




More information about the Snort-sigs mailing list