Home page logo
/

snort logo Snort mailing list archives

Trojan.APT.Seinup sig with pcre help request
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 19 Jun 2013 12:07:17 -0600

This one hurt my head:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Trojan.Win32.APT.Seinup outbound connection"; 
flow:to_server,established; content:"php|3f|"; http_uri; 
pcre:"/\x2ephp\x3fa-z0-9]{11,13}=[a-z0-9]{3,7}\x26/"; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
reference:url,http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; 
classtype:trojan-activity; sid:10000081; rev:1;)

Is that PCRE too beefy?  I didn't go the full length of the url..it's 
pretty nuts.  Thanks for any help on this all.

James

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault