Snort mailing list archives
Re: April 9th compiled Zeus debug upload
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 17 May 2013 08:33:27 -0600
On 2013-05-17 08:26, Joel Esler wrote:
James, Is 25050 not catching this? Just for clarification? On May 17, 2013, at 10:04 AM, James Lay <jlay () slave-tothe-box net> wrote:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus April 9th 2013 variant data upload"; flow:to_server,established; content:"POST"; http_method; content:"|2f|test|2f|debug.php"; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,http://securityblog.s21sec.com/2013/05/testing-your-zeus-variant.html; classtype:trojan-activity; sid:10000062; rev:1;) James
Hey Joel, Yea I looked at that one(been trying to look at rules BEFORE I start making um for a refreshing change of pace :))..provided the UA matches I'll bet it would. Only data I have though is the "/test/debug.php"...would be nice to see a pcap that has this if anyone can provide? Thanks Joel! James ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- April 9th compiled Zeus debug upload James Lay (May 17)
- Re: April 9th compiled Zeus debug upload Joel Esler (May 17)
- Re: April 9th compiled Zeus debug upload James Lay (May 17)
- Re: April 9th compiled Zeus debug upload Joel Esler (May 17)