[Emerging-Sigs] kazakaza.php trojan communications

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 12 19:43:30 EDT 2010


On Oct 12, 2010, at 7:40 PM, Joel Esler wrote:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> ZeuS http client library detected"; content:"GET "; depth:4;
>> content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d
>> 0a|User-Agent|3a| "; classtype:trojan-activity;
>> sid:2011811; rev:2;)
> 
> I think the "GET" content match is superfluous.
> 

We need to exclude POST is why.

Thanks

Matt


> --
> Joel Esler
> 302-223-5974
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list