jlay at ...3266...
Tue Oct 15 12:13:10 EDT 2013
On 2013-10-15 10:05, Nick Randolph wrote:
> Looking at the screenshot they used to show the outbound request it
> looks like sid:19165 might catch this but, since they provided a
> screenshot I cant tell if the 0x20 is present at the end of the
> user-agent string and it doesnt look like they provided a hash
> The %s indicates a string variable so the /micro/advice.php and the
> 1irst are probably not static. Something like
> content:"arg1="; http_uri; content:"arg2="; distance:0; http_uri;
> should catch what youre looking for.
> On Tue, Oct 15, 2013 at 10:02 AM, James Lay <jlay at ...3266...
> > wrote:
>> I may have missed something...it IS early in the AM after all ;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"MALWARE-OTHER Win32.EgoBot CnC traffic"; ;
>> content:"|2f|micro|2f|advice.php|3f|arg1=1irst|26|arg2="; http_uri;
>> fast_pattern:only; metadata:policy balanced-ips drop, policy
>> security-ips drop, service http, ruleset community;
>> classtype:trojan-activity; sid:10000105; rev:1;)
Ya good call Nick...I hosed it on the variables yet again...confirmed
Bleh...thanks for the catch.
More information about the Snort-sigs