[Emerging-Sigs] Current Events: Detection for Kuluoz spam, embedded link

Ben Koenig koenigb at gmail.com
Fri Sep 12 18:07:10 EDT 2014

I'm pretty sure I did this right but, please let me know if I didn't. This
is related to a spam campaign that shows up as Kuluoz.D: Email subject was
"You have voice message".

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You
have voice message Kuluoz.D URI"; flow:established,to_server;
content:".php?"; http_uri; fast_pattern:only;
pcre:"/\.php\?[a-z]+=[a-zA-Z0-9/+]{22}"; reference:url,
classtype:trojan-activity; sid:XxXxXxXx; rev:1;)

I didn't see any of the existing Asprox/Kuluox rules matching that in our

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140912/09221eac/attachment.html>

More information about the Emerging-sigs mailing list