[Emerging-Sigs] Strange UDP Trojan check-in

Nathan nathan at packetmail.net
Thu Oct 6 10:04:05 EDT 2011

Awesome, you used my PCRE for Snort versions that don't support byte_extract! 
I feel more special now and less dumb than before.

#Snort 2.4
alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
Communication 1"; dsize:72; pcre:"/^.{63}(.)\1{8}$/Bs";
classtype:trojan-activity; sid:2013739; rev:4;)

/me does a happy dance because I got to use a PCRE with a back reference.

More information about the Emerging-sigs mailing list