[Snort-sigs] Travnet and PCRat sigs

James Lay jlay at ...3266...
Tue May 14 17:14:52 EDT 2013


On 2013-05-14 14:51, rmkml wrote:
> Hi James,
>
> Thx for sharing,
>
> no http_uri on first sig ?
>
> Regards
> Rmkml

Heh...Rm always catches me!  Yea...I should make it like yonder:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Travnet Botnet data upload"; flow:to_server,established; content:"GET"; 
http_method; http_uri; content:"hostid="; http_uri; 
content:"|26|hostname="; within:16; http_uri; content:"|26|hostip="; 
http_uri; metadata:policy balanced-ips drop, policy security-ips drop, 
service http; 
reference:url,http://blogs.mcafee.com/mcafee-labs/travnet-botnet-controls-victims-with-remote-admin-tool; 
classtype:trojan-activity; sid:10000057; rev:2)

Thanks Rm...your sharp eye helps a lot.

James




More information about the Snort-sigs mailing list