[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Rawbytes needed?
From: Y M <snort () outlook ! com>
Date: 2014-02-05 19:38:44
Message-ID: COL129-W794D8A9E2E52F004C772D9A8950 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi James,
How about using file_data? Also there is a missing pipe "|" at the end of the content pattern :).
YM
> To: snort-sigs@lists.sourceforge.net
> Date: Wed, 5 Feb 2014 11:34:42 -0700
> From: jlay@slave-tothe-box.net
> Subject: [Snort-sigs] Rawbytes needed?
>
> What say you all?
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
> Win32/Asprox Variant Outbound Traffic"; flow:from_server, established;
> content:"|3c|html|3e 3c|body|3e|hi|21 3c 2f|body|3e 3c 2f|html|3e";
> fast_pattern:only;
> reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html;
> classtype:trojan-activity; sid:10000124; rev:1;)
>
> Guessing html and body tags will get normalized yes?
>
> James
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi James,<BR> <BR>How about using \
file_data? Also there is a missing pipe "|" at the end of the content \
pattern :).<BR> <BR>YM<br> <BR><div>> To: \
snort-sigs@lists.sourceforge.net<br>> Date: Wed, 5 Feb 2014 11:34:42 -0700<br>> \
From: jlay@slave-tothe-box.net<br>> Subject: [Snort-sigs] Rawbytes needed?<br>> \
<br>> What say you all?<br>> <br>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> \
$HOME_NET any (msg:"MALWARE-CNC <br>> Win32/Asprox Variant Outbound Traffic"; \
flow:from_server, established; <br>> content:"|3c|html|3e 3c|body|3e|hi|21 3c \
2f|body|3e 3c 2f|html|3e"; <br>> fast_pattern:only; <br>> \
reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; \
<br>> classtype:trojan-activity; sid:10000124; rev:1;)<br>> <br>> Guessing \
html and body tags will get normalized yes?<br>> <br>> James<br>> <br>> \
------------------------------------------------------------------------------<br>> \
Managing the Performance of Cloud-Based Applications<br>> Take advantage of what \
the Cloud has to offer - Avoid Common Pitfalls.<br>> Read the Whitepaper.<br>> \
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk<br>> \
_______________________________________________<br>> Snort-sigs mailing \
list<br>> Snort-sigs@lists.sourceforge.net<br>> \
https://lists.sourceforge.net/lists/listinfo/snort-sigs<br>> \
http://www.snort.org<br>> <br>> <br>> Please visit http://blog.snort.org for \
the latest news about Snort!<br></div> </div></body> </html>
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic