Home page logo

snort logo Snort mailing list archives

Re: Syndicasec Stage Two traffic sig
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 23 May 2013 15:52:04 -0600

On 2013-05-23 15:38, rmkml wrote:
Hi James,

Big thx you again for sharing malware rules!

Warn: change http_uri to http_client_body please

content HTTP/1.0 with http_header not fire for me.


Thanks Rm...good catch..how's this lookin:

Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established; 
content:"POST"; http_method; content:"HTTP/1.0"; 
content:"cstype=server|26|authname="; http_client_body; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; 
classtype:trojan-activity; sid:10000072; rev:2;)


Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]