[Snort-sigs] April 9th compiled Zeus debug upload

James Lay jlay at ...3266...
Fri May 17 10:33:27 EDT 2013


On 2013-05-17 08:26, Joel Esler wrote:
> James,
>
> Is 25050 not catching this?  Just for clarification?
>
>
> On May 17, 2013, at 10:04 AM, James Lay <jlay at ...3266...> 
> wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"MALWARE-CNC
>> Win.Trojan.Zeus April 9th 2013 variant data upload";
>> flow:to_server,established; content:"POST"; http_method;
>> content:"|2f|test|2f|debug.php"; http_uri; metadata:impact_flag red,
>> policy security-ips drop, ruleset community, service http;
>> 
>> reference:url,http://securityblog.s21sec.com/2013/05/testing-your-zeus-variant.html;
>> classtype:trojan-activity; sid:10000062; rev:1;)
>>
>> James

Hey Joel,

Yea I looked at that one(been trying to look at rules BEFORE I start 
making um for a refreshing change of pace :))..provided the UA matches 
I'll bet it would.  Only data I have though is the 
"/test/debug.php"...would be nice to see a pcap that has this if anyone 
can provide?  Thanks Joel!

James




More information about the Snort-sigs mailing list