[Snort-sigs] Bisonha C&C activity

Paul Bottomley Paul.Bottomley at ...3813...
Wed Sep 4 11:01:25 EDT 2013


Afternoon,

3001 is the only static match I can find... there may be something better to use?
I've included {262,304} given there are 42 zeros at offset 0x83 and not sure if they are always used?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bisonha C&C activity"; flow:to_server,established; content:"3001"; fast_pattern; http_uri; pcre:"/3001[0-9A-F]{262,304}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://bl0g.cedricpernet.net/; classtype:trojan-activity; sid:xxxxx; rev:1;)


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130904/f3b8bc44/attachment.html>


More information about the Snort-sigs mailing list