I sent a similar rule yesterday to the mailing list, but adding the filename on the POST that is also hardcoded:<div><br></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); ">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET MALWARE <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(169, 218, 146); color: rgb(34, 34, 34); background-position: initial initial; background-repeat: initial initial; ">W32</span>.<span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(169, 218, 146); color: rgb(34, 34, 34); background-position: initial initial; background-repeat: initial initial; ">DUQU</span>detected&quot;; flow: to_server,established; content:&quot;User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)&quot;; nocase; http_header; content:&quot;Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|&quot;; nocase; http_header; reference:url,<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" style="color: rgb(51, 51, 204); ">www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf</a>; classtype:policy-violation; sid:111111; rev:1;)</span></div>
<div><font class="Apple-style-span" face="arial, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, sans-serif">Best Regards<br></font><br><div class="gmail_quote">2011/10/19 Christopher Granger <span dir="ltr">&lt;<a href="mailto:chrisgrangerx@gmail.com">chrisgrangerx@gmail.com</a>&gt;</span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi Emerging Threats,<div><br></div><div>What do you think about this to detect Duqu&#39;s UA?</div><div><br></div><div>
alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;W32.Duqu User-Agent&quot;; flow:to_server,established; content:&quot;User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”; http_header; fast_pattern:only; reference:url,<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank">http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf</a>; classtype:trojan-activity; sid:XXXXXXX; rev:1;)</div>

<div><br></div><div>Thank you,</div><div>-Chris</div><div><br></div><div><br></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>_______________________________<br><br>Jaime Blasco<br><br><a href="http://www.ossim.com" target="_blank">www.ossim.com</a><br>
<a href="http://www.alienvault.com" target="_blank">www.alienvault.com</a><br>Email: <a href="mailto:jaime.blasco@alienvault.com" target="_blank">jaime.blasco@alienvault.com</a><br><br><a href="http://twitter.com/jaimeblascob" target="_blank">http://twitter.com/jaimeblascob</a><br>
<br>
</div>