[Snort-sigs] Trojan.APT.Seinup sig with pcre help request

James Lay jlay at ...3266...
Wed Jun 19 14:16:32 EDT 2013


On 2013-06-19 12:07, James Lay wrote:
> This one hurt my head:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-CNC
> Trojan.Win32.APT.Seinup outbound connection";
> flow:to_server,established; content:"php|3f|"; http_uri;
> pcre:"/\x2ephp\x3fa-z0-9]{11,13}=[a-z0-9]{3,7}\x26/"; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> 
> reference:url,http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html;
>
> classtype:trojan-activity; sid:10000081; rev:1;)
>
> Is that PCRE too beefy?  I didn't go the full length of the url..it's
> pretty nuts.  Thanks for any help on this all.
>
> James
>
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

Bleh...now I see a bit of a fix already:

pcre:"/\x2ephp\x3fa-z0-9]{11,13}=[a-z0-9]{3,7}\x26/i";

James




More information about the Snort-sigs mailing list