[Snort-sigs] Expiro sigs

Y M snort at ...3751...
Thu Nov 14 10:12:39 EST 2013


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; http_header; pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf; classtype:trojan-activity; sid:100109; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; http_header; pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf; classtype:trojan-activity; sid:100111; rev:1;)
Any help with the pcre is highly appreciated. Also from the reference, its not 100% clear to me if the uri of length (13-20) is actually associated with POST request.
Thanks.YM  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131114/fd146968/attachment.html>


More information about the Snort-sigs mailing list