Home page logo
/

snort logo Snort mailing list archives

Re: Zeus P2P-proxy sig
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 7 Jun 2013 15:30:34 -0400

On Jun 7, 2013, at 3:22 PM, James Lay <jlay () slave-tothe-box net> wrote:

Yep.

alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 (msg:"MALWARE-CNC 
Zeus P2P-proxy C2 Write command"; flow:to_server,established; 
content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; 
classtype:trojan-activity; sid:10000075; rev:1;)


Thanks James, yes we were looking at that this morning too.  We've been putting the IPs responsible for Zeus in our 
blacklist feed for sometime now.  They are working great, we add about 2k a day.  But this type of sig will help people 
find infections in their network they weren't aware of.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]