[Emerging-Sigs] kazakaza.php trojan communications

Joel Esler jesler at sourcefire.com
Tue Oct 12 20:15:21 EDT 2010


On Oct 12, 2010, at 7:43 PM, Matthew Jonkman wrote:
> On Oct 12, 2010, at 7:40 PM, Joel Esler wrote:
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> ZeuS http client library detected"; content:"GET "; depth:4;
>>> content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d
>>> 0a|User-Agent|3a| "; classtype:trojan-activity;
>>> sid:2011811; rev:2;)
>> 
>> I think the "GET" content match is superfluous.
>> 
> 
> We need to exclude POST is why.

Just read back through the thread. I see why now.  Thanks Matt.

--
Joel Esler
302-223-5974



More information about the Emerging-sigs mailing list