[Snort-sigs] Egobot

James Lay jlay at ...3266...
Tue Oct 15 10:02:06 EDT 2013


I may have missed something...it IS early in the AM after all ;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Win32.EgoBot CnC traffic"; ; 
flow:to_server,established; 
content:"|2f|micro|2f|advice.php|3f|arg1=1irst|26|arg2="; http_uri; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http, ruleset community; 
reference:url,www.symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; 
classtype:trojan-activity; sid:10000105; rev:1;)

James




More information about the Snort-sigs mailing list