Rovnix Rule

[Y M <snort () outlook com>]

Probably being cooked already, and maybe enhanced further more as the Rovnix behavior is far more complex:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; 
flow:to_server,established; content:"GET"; content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3a 
20|FWVersionTestAgent|0d 0a|"; fast_pattern:only; metadata:impact-flag red,policy balanced-ips drop,policy security-ips 
drop,rulest community,service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; 
reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; 
classtype:trojan-activity; sid:112233; rev:1;)
There is another potential rule in the pcap referenced (first reference) in the form of a "BLACKLIST DNS request" but I 
think the one above is more relevant. Any ideas to make it better is always welcome.
Thanks.YM

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!