<div dir="ltr"><div>I thought that the content match you had was unique enough to make the PCRE unnecessary. Here is what the rule will look like.<br><br>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/">blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/</a>; classtype:trojan-activity; sid:27246; rev:1;)<br>
<br></div>Thanks Paul<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 18, 2013 at 6:20 AM, Paul Bottomley <span dir="ltr"><<a href="mailto:Paul.Bottomley@...3813..." target="_blank">Paul.Bottomley@...3813...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div link="blue" vlink="purple" lang="EN-GB">
<div>
<p class="MsoNormal">Morning!<u></u><u></u></p>
<p class="MsoNormal"><u></u>†<u></u></p>
<p class="MsoNormal">Probably not the best written rule given the amount of matches on the regex and Iím sure there are loads of ways to write this rule (see source on pastebin link), so if anyone wants to better this feel free
<span style="font-family:Wingdings">J</span><u></u><u></u></p>
<p class="MsoNormal"><u></u>†<u></u></p>
<p class="MsoNormal"><a href="http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/" target="_blank">http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/</a><u></u><u></u></p>

<p class="MsoNormal"><a href="http://pastebin.com/THRQ1Xp2" target="_blank">http://pastebin.com/THRQ1Xp2</a><u></u><u></u></p>
<p class="MsoNormal"><u></u>†<u></u></p>
<p class="MsoNormal">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[DELIVERY] Mac OSX Ransomware Excessive iframes"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern;
 pcre:"/(?:<iframe\s+src=.*){150}/";............)<u></u><u></u></p>
<p class="MsoNormal"><u></u>†<u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Paul<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:gray"><u></u>†<u></u></span></p>
</div>
<br clear="all">
________________________________________________________________________<br>
In order to protect our email recipients, Betfair Group use SkyScan from <br>
MessageLabs to scan all Incoming and Outgoing mail for viruses.<br>
<br>
________________________________________________________________________<br>
</div>

<br>------------------------------------------------------------------------------<br>
See everything from the browser to the database with AppDynamics<br>
Get end-to-end visibility with application monitoring from AppDynamics<br>
Isolate bottlenecks and diagnose root cause in seconds.<br>
Start your free trial of AppDynamics Pro today!<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk</a><br>_______________________________________________<br>

Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br></blockquote></div><br><br clear="all"><br>-- <br><br>Nick Randolph<br>Research Engineer<br>Sourcefire, Inc.<br>
<a href="mailto:nrandolph@...435..." target="_blank">nrandolph@...3413....</a><br><a href="http://www.sourcefire.com/" style="color:rgb(17,85,204)" target="_blank">Sourcefire.com</a>
</div>