[Emerging-Sigs] kazakaza.php trojan communications
wkitty42 at windstream.net
Wed Oct 13 19:22:32 EDT 2010
On 10/12/2010 19:17, Matthew Jonkman wrote:
> Ok, going with this:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS http client library detected"; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:1;)
> If we do http_header as I understand the 0d 0a's will be normalized out.
that's one of the things that i'm kinda curious about how we should handle them
now... IIUC, snort is doing part of the work for us now?? how can it tell, for
instance, if there's a space after the colon in the UA string or not like the
recent rule that has been submitted?
More information about the Emerging-sigs