<div dir="ltr">Thanks!  We'll get these tested. <br><br><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><span>Carlos Pacho<br>Research Engineer, VRT<br>
Sourcefire, now part of Cisco<br><a href="mailto:cpacho@...435..." target="_blank">cpacho@...435...</a><br><a href="http://www.sourcefire.com/" target="_blank">Sourcefire.com</a></span></div></div>
<br><br><div class="gmail_quote">On Thu, Nov 14, 2013 at 10:12 AM, Y M <span dir="ltr"><<a href="mailto:snort@...3751..." target="_blank">snort@...3751...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div><div dir="ltr"><div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; http_header; pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,<a href="http://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf" target="_blank">kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf</a>; classtype:trojan-activity; sid:100109; rev:1;)</div>
<div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; http_header; pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,<a href="http://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf" target="_blank">kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf</a>; classtype:trojan-activity; sid:100111; rev:1;)</div>
<div><br></div><div>Any help with the pcre is highly appreciated. Also from the reference, its not 100% clear to me if the uri of length (13-20) is actually associated with POST request.</div><div><br></div><div>Thanks.</div>
<span class="HOEnZb"><font color="#888888"><div>YM </div>                                     </font></span></div></div>
<br>------------------------------------------------------------------------------<br>
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps<br>
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access<br>
Free app hosting. Or install the open source package on any LAMP server.<br>
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk</a><br>_______________________________________________<br>

Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br></blockquote></div><br></div></div>