[Snort-sigs] Syndicasec Stage Two traffic sig

James Lay jlay at ...3266...
Thu May 23 17:52:04 EDT 2013


On 2013-05-23 15:38, rmkml wrote:
> Hi James,
>
> Big thx you again for sharing malware rules!
>
> Warn: change http_uri to http_client_body please
>
> content HTTP/1.0 with http_header not fire for me.
>
> Regards
> @Rmkml

Thanks Rm...good catch..how's this lookin:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established; 
content:"POST"; http_method; content:"HTTP/1.0"; 
content:"cstype=server|26|authname="; http_client_body; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin; 
classtype:trojan-activity; sid:10000072; rev:2;)

James




More information about the Snort-sigs mailing list