[Snort-sigs] Rawbytes needed?

James Lay jlay at ...3266...
Wed Feb 5 13:34:42 EST 2014


What say you all?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC 
Win32/Asprox Variant Outbound Traffic"; flow:from_server, established; 
content:"|3c|html|3e 3c|body|3e|hi|21 3c 2f|body|3e 3c 2f|html|3e"; 
fast_pattern:only; 
reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; 
classtype:trojan-activity; sid:10000124; rev:1;)

Guessing html and body tags will get normalized yes?

James




More information about the Snort-sigs mailing list