[Snort-sigs] Asprox Sig

James Lay jlay at ...3266...
Tue Nov 12 16:05:16 EST 2013


Ok..so how bad did I hose this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win32/Asprox Outbound Traffic"; flow:to_server, established; 
content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b| WOW64|3b| 
rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only; 
http_header; content:"Content-Disposition|3a| form-data|3b| 
name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header; 
reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; 
classtype:bad-unknown; sid:10000111; rev:1;)

James




More information about the Snort-sigs mailing list