[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] =?utf-8?q?Rawbytes_needed=3F?=
From: James Lay <jlay () slave-tothe-box ! net>
Date: 2014-02-05 19:50:22
Message-ID: 770264f9f5d07fca007fec426173fde9 () localhost
[Download RAW message or body]
On 2014-02-05 12:38, Y M wrote:
> Hi James,
>
> How about using file_data? Also there is a missing pipe "|" at the
> end
> of the content pattern :).
>
> YM
>
Ah thank you. RM mentioned that as well...my concern was that the date
would get normalized, but I'll give it a go. Thanks for the look to
both of you :) New rev here:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win32/Asprox Variant Outbound Traffic"; flow:from_server, established;
file_data; content:"|3c|html|3e 3c|body|3e|hi|21 3c 2f|body|3e 3c
2f|html|3e|"; fast_pattern:only;
reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html;
classtype:trojan-activity; sid:10000124; rev:2;)
James
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic