[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Kuluoz-ishness
From:       James Lay <jlay () slave-tothe-box ! net>
Date:       2013-07-11 18:07:37
Message-ID: 543303148c043b008d608cfececc9b1a () localhost
[Download RAW message or body]

On 2013-07-11 11:51, Nick Randolph wrote:
> Thanks for the info James. I grabbed the sample listed in the 
> pastebin
> link and ran them here. They were picked up with sid:25675 which is
> already in the community ruleset. I made some updates based on the
> samples and it should be a much faster rule now. Here is what it 
> looks
> like now
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC
> Win.Trojan.Fakeavlock variant outbound connection";
> flow:to_server,established; dsize:267<>276; content:"User-Agent|3A|
> Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B|
> en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159;
> pcre:"/x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy
> balanced-ips drop, policy security-ips drop, ruleset community,
> service http;
> 
> reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/
>  [6]; classtype:trojan-activity; sid:25675; rev:7;)
> 

Ah...thanks Nick...I've been trying to search my current rules before 
looking at creating a new rule...looks like I'll need to stop looking at 
title names (Kuluoz) and look at actual rule content :)  Thanks again 
Nick.

James

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]