Re: Rawbytes needed?

[Y M <snort () outlook com>]

Hi James,
 
How about using file_data? Also there is a missing pipe "|" at the end of the content pattern :).
 
YM
 
> To: snort-sigs () lists sourceforge net
> Date: Wed, 5 Feb 2014 11:34:42 -0700
> From: jlay () slave-tothe-box net
> Subject: [Snort-sigs] Rawbytes needed?
>
> What say you all?
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC 
> Win32/Asprox Variant Outbound Traffic"; flow:from_server, established; 
> content:"|3c|html|3e 3c|body|3e|hi|21 3c 2f|body|3e 3c 2f|html|3e"; 
> fast_pattern:only; 
> reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; 
> classtype:trojan-activity; sid:10000124; rev:1;)
>
> Guessing html and body tags will get normalized yes?
>
> James
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!