<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://4445/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Paul,<div><br></div><div>Here's what I came up with, and added:</div><div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26923; rev:1;)</div><div><br></div><div>Thanks for your addition.</div><div><br></div><div><span style="font-size: 12px; font-family: 'Lucida Grande'; ">--</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; "><b>Joel Esler</b></span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">Senior Research Engineer, VRT</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">OpenSource Community Manager</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">Sourcefire</span></div><div><font face="Lucida Grande"><span style="font-size: 12px;"><br></span></font></div><div><font face="Lucida Grande"><span style="font-size: 12px;"><br></span></font><div><div>On Jun 13, 2013, at 7:28 AM, Paul Bottomley <<a href="mailto:Paul.Bottomley@...3813...">Paul.Bottomley@...3320...813...</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-GB" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Might need running in your test lab for a week or so to see what it picks upů From observation so no reference.<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:established,to_server; content:"/images/"; fast_pattern:only; http_uri; pcre:"/\/images\/[a-zA-Z]{1}\.php\?id\=[0-9]{2,}/Ui"; classtype:trojan-activity; sid:xxxxxx; rev:1;)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Thanks<o:p></o:p></div></div><br clear="both">________________________________________________________________________<br>In order to protect our email recipients, Betfair Group use SkyScan from<span class="Apple-converted-space"> </span><br>MessageLabs to scan all Incoming and Outgoing mail for viruses.<br><br>________________________________________________________________________<br>------------------------------------------------------------------------------<br>This<span class="Apple-converted-space"> </span><a href="http://SF.net" style="color: purple; text-decoration: underline; ">SF.net</a><span class="Apple-converted-space"> </span>email is sponsored by Windows:<br><br>Build for Windows Store.<br><br><a href="http://p.sf.net/sfu/windows-dev2dev_______________________________________________" style="color: purple; text-decoration: underline; ">http://p.sf.net/sfu/windows-dev2dev_______________________________________________</a><br>Snort-sigs mailing list<br><a href="mailto:Snort-sigs@...184...ists.sourceforge.net" style="color: purple; text-decoration: underline; ">Snort-sigs@lists.sourceforge.net</a><br><a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" style="color: purple; text-decoration: underline; ">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br><a href="http://www.snort.org" style="color: purple; text-decoration: underline; ">http://www.snort.org</a><br><br><br>Please visit<span class="Apple-converted-space"> </span><a href="http://blog.snort.org" style="color: purple; text-decoration: underline; ">http://blog.snort.org</a><span class="Apple-converted-space"> </span>for the latest news about Snort!</div></blockquote></div><br></div></body></html>