[Emerging-Sigs] Strange UDP Trojan check-in

Nathan nathan at packetmail.net
Tue Oct 4 16:48:15 EDT 2011


> I sat down and finally got familiar with all of the byte_* operators,
> and I think this one will work the best (confirmed against pcap):

Awesome, I poured over the 2.9.0 manual and I just never saw where I could use
a byte_extract variable in byte_test; it only said value with an integer
between 0-4294967295.  I was trying to figure out how to compare using the
byte_* operators and finally settled on a PCRE with a back reference.

> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
> Communication"; byte_extract:4,63,padding; byte_test:4,=,padding,67;
> dsize:72; sid:1; rev:1;)

Fine job and I learned something; thanks.  I agree this is much better than
the PCRE.

Thanks,
Nathan



More information about the Emerging-sigs mailing list