[Snort-sigs] April 9th compiled Zeus debug upload
jlay at ...3266...
Fri May 17 10:33:27 EDT 2013
On 2013-05-17 08:26, Joel Esler wrote:
> Is 25050 not catching this? Just for clarification?
> On May 17, 2013, at 10:04 AM, James Lay <jlay at ...3266...>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> Win.Trojan.Zeus April 9th 2013 variant data upload";
>> flow:to_server,established; content:"POST"; http_method;
>> content:"|2f|test|2f|debug.php"; http_uri; metadata:impact_flag red,
>> policy security-ips drop, ruleset community, service http;
>> classtype:trojan-activity; sid:10000062; rev:1;)
Yea I looked at that one(been trying to look at rules BEFORE I start
making um for a refreshing change of pace :))..provided the UA matches
I'll bet it would. Only data I have though is the
"/test/debug.php"...would be nice to see a pcap that has this if anyone
can provide? Thanks Joel!
More information about the Snort-sigs