[Snort-sigs] Rawbytes needed?
jlay at ...3266...
Wed Feb 5 14:50:22 EST 2014
On 2014-02-05 12:38, Y M wrote:
> Hi James,
> How about using file_data? Also there is a missing pipe "|" at the
> of the content pattern :).
Ah thank you. RM mentioned that as well...my concern was that the date
would get normalized, but I'll give it a go. Thanks for the look to
both of you :) New rev here:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win32/Asprox Variant Outbound Traffic"; flow:from_server, established;
file_data; content:"|3c|html|3e 3c|body|3e|hi|21 3c 2f|body|3e 3c
classtype:trojan-activity; sid:10000124; rev:2;)
More information about the Snort-sigs