[Emerging-Sigs] gicia.info

[Philipp Bescht]

hi,

gicia.info is a c&c related to the injecteted domain google-stat.net
as mentioned in the recent ISC SANS diary ('Bad url classification'). I
came across this one a few months ago already and noticed the
uri parameters did not change. The requests look like this:

GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz1
GET /cd/un2.php?id=1C8E0A5E3A08956&ver=nz0
GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz0
GET /cd/cd.php?id=1-1C8E0A5E592D4D0&ver=nz1
GET /cd/un.php?id=1C8E0A5E3A08956&ver=ig0

Now I propose the following 3 signatures:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"gicia.info
trojan activity"; flow:established,to_server;
uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver=nz"; nocase;
classtype:trojan-activity; sid:2009957; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"gicia.info
trojan activity 2"; flow:established,to_server;
uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver=nz"; nocase;
classtype:trojan-activity; sid:2009958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"gicia.info
trojan activity 3"; flow:established,to_server;
uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver=ig"; nocase;
classtype:trojan-activity; sid:2009959; rev:1;)

My question is: Is it better (in terms of performance) to sum those
up in one single signature using pcre, or is there anything else to
optimize (perhaps even using just the first signature and skipping the
others)?

Thanks in advance and best regards,
Philipp