Snort mailing list archives
Re: Trojan.APT.Seinup sig with pcre help request
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 21 Jun 2013 09:39:06 -0600
On 2013-06-21 09:27, Joel Esler wrote:
Is there a minimum length to the query here? for the use of urilen? ".php" is a content match that will enter all the time. Trying to scrounge up ways of making this faster.
Yea I've been trying to optimize this myself...not sure if this is a GET or POST...that could help if we knew. I've not seen any other info on this besides the referenced site...maybe you can use your connections to see what else we could get on this Joel ;) James
And yet another fix...thanks to those that have helped out: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Win32.APT.Seinup outbound connection"; flow:to_server,established; content:".php|3f|"; http_uri; pcre:"/\x2ephp\x3f[a-z0-9]{11,13}=[a-z0-9]{3,7}\x26[a-z0-9]{3,5}=[a-z0-9]{48}\x26[a-z0-9]{7,9}=[a-z0-9]{32}\x26[a-z0-9]{14,16}=/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:trojan-activity; sid:10000081; rev:3;) James
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trojan.APT.Seinup sig with pcre help request James Lay (Jun 19)
- Re: Trojan.APT.Seinup sig with pcre help request James Lay (Jun 19)
- Re: Trojan.APT.Seinup sig with pcre help request James Lay (Jun 20)
- Re: Trojan.APT.Seinup sig with pcre help request James Lay (Jun 21)
- Re: Trojan.APT.Seinup sig with pcre help request Joel Esler (Jun 21)
- Re: Trojan.APT.Seinup sig with pcre help request James Lay (Jun 21)
- Re: Trojan.APT.Seinup sig with pcre help request Joel Esler (Jun 21)