[Snort-sigs] Fwd: Re: Asprox Sig
jlay at ...3266...
Tue Nov 12 17:05:37 EST 2013
-------- Original Message --------
Subject: Re: [Snort-sigs] Asprox Sig
Date: 2013-11-12 15:05
From: James Lay <jlay at ...3266...>
To: Geoffrey Serrao <gserrao at ...435...>
On 2013-11-12 15:00, Geoffrey Serrao wrote:
> Hey James,
> Thanks for your contribution.
> Post data is actually stored in the http_client_body buffer (not
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> Win32/Asprox Outbound Traffic"; flow:to_server, established;
> content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b|
> WOW64|3b|rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0";
> fast_pattern:only; http_header;
> content:"Content-Disposition|3a| form-data|3b|name=|22|key|22 3b|
> filename=|22|key.bin|22|"; http_client_body;
> classtype:bad-unknown; sid:10000111; rev:1;)
> Looks like a solid rule, the post data looks pretty unique.
> The VRT might recommend adding nocase to the second content match,
> Im not sure its necessary.
> On Tue, Nov 12, 2013 at 4:05 PM, James Lay <jlay at ...3266...
> > wrote:
>> Ok..so how bad did I hose this:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> Win32/Asprox Outbound Traffic"; flow:to_server, established;
>> content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b|
>> rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only;
>> http_header; content:"Content-Disposition|3a| form-data|3b|
>> name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header;
>> classtype:bad-unknown; sid:10000111; rev:1;)
> Geoffrey J. Serrao
> SOURCEfire Technical Support
> My office hours are 10:00 AM to 7:00 PM Eastern time, Monday -
> If you need assistance outside of these hours, please contact
> support at ...435...  and another engineer will respond.
Thanks Alex and Geoffrey.
Yea I was confused on just where Content-Disposition: landed...is it a
header, or is it body? I was thinking of adding both key.bin and
data.bin, but thought I'd just shoot for the one. Thank you!
More information about the Snort-sigs