Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Asprox Sig

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 12 Nov 2013 14:05:16 -0700
Ok..so how bad did I hose this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win32/Asprox Outbound Traffic"; flow:to_server, established; 
content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b| WOW64|3b| 
rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only; 
http_header; content:"Content-Disposition|3a| form-data|3b| 
name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header; 
reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; 
classtype:bad-unknown; sid:10000111; rev:1;)

James

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: