[Emerging-Sigs] kazakaza.php trojan communications

waldo kitty wkitty42 at windstream.net
Wed Oct 13 19:22:32 EDT 2010


On 10/12/2010 19:17, Matthew Jonkman wrote:
> Ok, going with this:
>
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS http client library detected"; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:1;)
>
> If we do http_header as I understand the 0d 0a's will be normalized out.

that's one of the things that i'm kinda curious about how we should handle them 
now... IIUC, snort is doing part of the work for us now?? how can it tell, for 
instance, if there's a space after the colon in the UA string or not like the 
recent rule that has been submitted?



More information about the Emerging-sigs mailing list