[Snort-sigs] Zbot variant sigs

Y M snort at ...3751...
Fri Oct 11 17:15:01 EDT 2013

Hi Joel,
You are absolutely right. Reading your comment and revising the rule as well as reading the file_data documentation again now I see why. I misinterpreted the purpose of the file_data. I went back to the test box and the part (file_data; content:"swift_copy.exe") is not included in the rule, I added it afterwards, hmmm...
That part certainly needs to go away. Thanks for pointing it out and explaining it.YM

Subject: Re: [Snort-sigs] Zbot variant sigs
From: jesler at ...435...
Date: Fri, 11 Oct 2013 14:21:56 -0400
CC: snort-sigs at lists.sourceforge.net
To: snort at ...3751...

On Oct 10, 2013, at 4:43 AM, Y M <snort at ...3751...> wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)
That shouldn’t work, you have an outbound rule, but you are looking for the file being downloaded in the return (“file_data; content:”swift_copy.exe”)
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
AEGIS Intelligence Lead 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131011/188ef084/attachment.html>

More information about the Snort-sigs mailing list