[Emerging-Sigs] kazakaza.php trojan communications
jesler at sourcefire.com
Tue Oct 12 20:15:21 EDT 2010
On Oct 12, 2010, at 7:43 PM, Matthew Jonkman wrote:
> On Oct 12, 2010, at 7:40 PM, Joel Esler wrote:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> ZeuS http client library detected"; content:"GET "; depth:4;
>>> content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d
>>> 0a|User-Agent|3a| "; classtype:trojan-activity;
>>> sid:2011811; rev:2;)
>> I think the "GET" content match is superfluous.
> We need to exclude POST is why.
Just read back through the thread. I see why now. Thanks Matt.
More information about the Emerging-sigs