Home page logo
/

snort logo Snort mailing list archives

Re: Zeus P2P-proxy sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 07 Jun 2013 13:33:03 -0600

On 2013-06-07 13:30, Joel Esler wrote:
On Jun 7, 2013, at 3:22 PM, James Lay <jlay () slave-tothe-box net [2]>
wrote:

Yep.

alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000
(msg:"MALWARE-CNC
Zeus P2P-proxy C2 Write command"; flow:to_server,established;
content:"POST |2f|write HTTP|2f|1.1"; depth:25; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:url,http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf [1];
classtype:trojan-activity; sid:10000075; rev:1;)

Thanks James, yes we were looking at that this morning too. We've 
been
putting the IPs responsible for Zeus in our blacklist feed for
sometime now. They are working great, we add about 2k a day. But this
type of sig will help people find infections in their network they
weren't aware of.

--
JOEL ESLER
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

Thanks Joel...lot's of good info in that pdf.

James

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault