<html>
<head>
</head>
<body class='hmmessage'><div dir='ltr'>

<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr"><div>Second paragraph under "Use of DGA" from the reference: </div><div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw outbound connection attempt"; flow:to_server,established; content:"/ping.html?r="; http_uri; fast_pattern:only; content:!"/utils/"; metadata: impact_flag red; policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; classtype:trojan-activity; sid:100044; rev:1;)</div><div><br></div><div>Another rule can be devised from the reference which is similar to sid:27538, with a slight modification to the first content match and an additional content match for "localhost":</div><div><br></div><div>alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"localhost"; content:"|55 04 0A 13 0E|MyCompany Ltd"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ssl; reference:url,<span style="font-size: 12pt;">research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; </span><span style="font-size: 12pt;">reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:100045; rev:1;)</span></div></div>
                                          </div></body>
</html>