Quick Kuluoz sig

[James Lay <jlay () slave-tothe-box net>]

Got 3 minutes before I'm out for a three day ;)  Tired of searching for 
these in email pcaps, so here's the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
Possible Kuluoz spamvertised URL in email"; flow:to_server,established; 
content:"href=|22|http|3a 2f 2f|"; content:".htm|22|"; distance:0; 
within:50; pcre:"/\x2f[A-Z]{10}\.htm\x22/ms"; metadata:policy 
balanced-ips drop, policy security-ips drop, service smtp; 
classtype:trojan-activity; 
reference:url,http://blog.webroot.com/2012/08/31/cybercriminals-impersonate-ups-serve-malware; 
sid:10000021; rev:1;)

Your mileage may vary...stacked up well in my testing.  Have a good 
three day (for those in the USA) weekend all!!

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!