Re: Syndicasec Stage Two traffic sig

[rmkml <rmkml () yahoo fr>]

Hi James,

Big thx you again for sharing malware rules!

Warn: change http_uri to http_client_body please

content HTTP/1.0 with http_header not fire for me.

Regards
@Rmkml


On Thu, 23 May 2013, James Lay wrote:

> Yay:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established;
> content:"POST"; http_method; content:"HTTP/1.0";
> content:"cstype=server|26|authname="; http_uri; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> reference:url,http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin;
> classtype:trojan-activity; sid:10000072; rev:1;)
>
> And a question...would it make sense to add http_header; after
> content:"HTTP/1.0";?  Thanks all.
>
> James

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!