[Snort-sigs] Snort-sigs Digest, Vol 85, Issue 22

John Cal cal220101 at ...2420...
Wed Jun 26 18:11:12 EDT 2013


On Wed, Jun 26, 2013 at 2:28 PM,
<snort-sigs-request at lists.sourceforge.net>wrote:

>
> Yippee
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> W32.Trojan.PinkStats outbound connection"; flow:to_server,established;
> content:"User-Agent: Google page|0D 0A|"; fast_pattern:only;
> http_header; content:"/count.asp?mac="; http_uri; content:"&ver=";
> http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
> security-ips drop, service http;
> reference:url,
> http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html
> ;
> classtype:trojan-activity; sid:10000083; rev:1;)
>
> Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania
>
> James
>

James, are there any benefits to having your rule match the URI content
before the UA content? I might need to read some additional material to
understand the order on how a signature is read by Snort, but the correct
flow would have the URI before the UA header, correct?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130626/1abaeac9/attachment.html>


More information about the Snort-sigs mailing list