Re: "Valid hex values only please!" error

[Peter Bates <peter.bates () ucl ac uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all... and particularly thanks to Kevin

On 23/01/2012 12:51, Kevin Ross wrote:
> Should be: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"CST ZeuS file=gwe.bin"; flow:established,to_server; 
> content:"/xml.php?q=1|3A|file=gwe.bin"; http_uri; 
> classtype:trojan-activity; sid:3100016; rev:1;)

Thanks for the advice and the fix - I forget why the flow state had
been removed but fixing up $HOME_NET and $EXTERNAL_NET were something
I should have done before.

> Also have a look at the emergingthreats.net rules as there are
> many rules there for Zeus behaviours and other trojans as well as 
> reputation stuff and loads of other rules for different things (as 
> you imagine, often the fast moving malware stuff such as URIs, 
> behaviours, exploit kit stuff etc).

We're running a mix of VRT, ET and some home-spun rules.
As you say, SIDs 2013976 and 2013076 are particularly effective.

- - --
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPHWEhAAoJELhVoVpEMS6RPnYH/0L82myRODESy/xfoDn9VVpR
vs/sxeoXcC8wNX6WHPoixdQ8bXX/AaenMloAPBxiFvOjXlvXPRD1IcmhGgM0VJzP
Jqxm2yV6GiyBj8vIRbYdETOkMyRh5fxph3O56hl//r2A964wEGV1f3Fdu0nMTbsD
Ubj7Quk88cgPNRB/IgvGs0Psip1HkCE5VfGHy4ofhEoviKsag3lrvduJTcKWGXSB
XhIsnLzJX7ZJh2Q5kHx6Zdd45+wkzOQdbSU7iYrFlIBuHdIaF2MLOYRh/uIEVsWG
50VqDzq4EjbGfebPWCES529oC8dLd5M/SKlIohFTiAlZ9CgXUWyMV3jIIw6lDqA=
=r+WX
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!