[Snort-sigs] Possible Dridex C2 UA sig

James Lay jlay at ...3266...
Thu Feb 19 14:08:00 EST 2015


Topic says it...went with two content's and the fast_pattern instead of 
pcre:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER Possible Dridex C2 User Agent (AnyEvent)"; 
flow:to_server,established; content:"User-Agent|3a|"; 
content:"AnyEvent-HTTP"; http_header; fast_pattern:only; 
reference:url,software.schmorp.de/pkg/AnyEvent; 
classtype:trojan-activity; sid:10000152; rev:1;)

James




More information about the Snort-sigs mailing list