[Emerging-Sigs] Current Events: Detection for Kuluoz spam, embedded link

rmkml rmkml at yahoo.fr
Fri Sep 12 18:11:17 EDT 2014

Thx Ben,

Warn you missed pcre ending $/U ?


On Fri, 12 Sep 2014, Ben Koenig wrote:

> I'm pretty sure I did this right but, please let me know if I didn't. This is related to a spam campaign that shows up as Kuluoz.D: Email subject was "You have voice message".
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You have voice message Kuluoz.D URI"; flow:established,to_server; content:".php?"; http_uri; fast_pattern:only;
> pcre:"/\.php\?[a-z]+=[a-zA-Z0-9/+]{22}"; reference:url,www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/; classtype:trojan-activity; sid:XxXxXxXx; rev:1;)
> I didn't see any of the existing Asprox/Kuluox rules matching that in our set.
> -Thanks,
> Ben.

More information about the Emerging-sigs mailing list