<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 26, 2013 at 2:28 PM,  <span dir="ltr"><<a href="mailto:snort-sigs-request@lists.sourceforge.net" target="_blank">snort-sigs-request@lists.sourceforge.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Yippee<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC<br>
W32.Trojan.PinkStats outbound connection"; flow:to_server,established;<br>
content:"User-Agent: Google page|0D 0A|"; fast_pattern:only;<br>
http_header; content:"/count.asp?mac="; http_uri; content:"&ver=";<br>
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy<br>
security-ips drop, service http;<br>
reference:url,<a href="http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html" target="_blank">http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html</a>;<br>
classtype:trojan-activity; sid:10000083; rev:1;)<br>
<br>
Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania<br>
<br>
James<br></blockquote></div><br>James, are there any benefits to having your rule match the URI content before the UA content? I might need to read some additional material to understand the order on how a signature is read by Snort, but the correct flow would have the URI before the UA header, correct? </div>
</div>