[Snort-sigs] Trojan.APT.Seinup sig with pcre help request

James Lay jlay at ...3266...
Fri Jun 21 11:39:06 EDT 2013


On 2013-06-21 09:27, Joel Esler wrote:
> Is there a minimum length to the query here?  for the use of urilen?
> ".php" is a content match that will enter all the time.  Trying to
> scrounge up ways of making this faster.

Yea I've been trying to optimize this myself...not sure if this is a 
GET or POST...that could help if we knew.  I've not seen any other info 
on this besides the referenced site...maybe you can use your connections 
to see what else we could get on this Joel ;)

James

>> And yet another fix...thanks to those that have helped out:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"MALWARE-CNC
>> Trojan.Win32.APT.Seinup outbound connection";
>> flow:to_server,established; content:".php|3f|"; http_uri;
>> 
>> pcre:"/\x2ephp\x3f[a-z0-9]{11,13}=[a-z0-9]{3,7}\x26[a-z0-9]{3,5}=[a-z0-9]{48}\x26[a-z0-9]{7,9}=[a-z0-9]{32}\x26[a-z0-9]{14,16}=/iU";
>> metadata:policy balanced-ips drop, policy security-ips drop, service
>> http;
>> 
>> reference:url,http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html;
>> classtype:trojan-activity; sid:10000081; rev:3;)
>>
>> James





More information about the Snort-sigs mailing list