Great, thanks!<br><br><div class="gmail_quote">On Wed, Oct 19, 2011 at 9:28 PM, Matthew Jonkman <span dir="ltr">&lt;<a href="mailto:jonkman@emergingthreatspro.com">jonkman@emergingthreatspro.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Ya, saw that and was looking deeper. I worry about taking a hardcoded filename of course, but it&#39;s worth the sig.<br>
<br>
How about we do both sigs, then we&#39;ll have indicatoin when the filename changes?<br>
<br>
WIll get them both out.<br>
<br>
Thanks!<br>
<br>
Matt<br>
<div><div></div><div class="h5"><br>
<br>
On Oct 19, 2011, at 5:20 PM, Jaime Blasco wrote:<br>
<br>
&gt; I sent a similar rule yesterday to the mailing list, but adding the filename on the POST that is also hardcoded:<br>
&gt;<br>
&gt; alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET MALWARE W32.DUQUdetected&quot;; flow: to_server,established; content:&quot;User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)&quot;; nocase; http_header; content:&quot;Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|&quot;; nocase; http_header; reference:url,<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank">www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf</a>; classtype:policy-violation; sid:111111; rev:1;)<br>

&gt;<br>
&gt; Best Regards<br>
&gt;<br>
&gt; 2011/10/19 Christopher Granger &lt;<a href="mailto:chrisgrangerx@gmail.com">chrisgrangerx@gmail.com</a>&gt;<br>
&gt; Hi Emerging Threats,<br>
&gt;<br>
&gt; What do you think about this to detect Duqu&#39;s UA?<br>
&gt;<br>
&gt; alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;W32.Duqu User-Agent&quot;; flow:to_server,established; content:&quot;User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|; http_header; fast_pattern:only; reference:url,<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank">http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf</a>; classtype:trojan-activity; sid:XXXXXXX; rev:1;)<br>

&gt;<br>
&gt; Thank you,<br>
&gt; -Chris<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Emerging-sigs mailing list<br>
&gt; <a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br>
&gt; <a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
&gt;<br>
&gt; Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
&gt; The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; _______________________________<br>
&gt;<br>
&gt; Jaime Blasco<br>
&gt;<br>
&gt; <a href="http://www.ossim.com" target="_blank">www.ossim.com</a><br>
&gt; <a href="http://www.alienvault.com" target="_blank">www.alienvault.com</a><br>
&gt; Email: <a href="mailto:jaime.blasco@alienvault.com">jaime.blasco@alienvault.com</a><br>
&gt;<br>
&gt; <a href="http://twitter.com/jaimeblascob" target="_blank">http://twitter.com/jaimeblascob</a><br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Emerging-sigs mailing list<br>
&gt; <a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br>
&gt; <a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
&gt;<br>
&gt; Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
&gt; The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br>
<br>
<br>
</div></div><div><div></div><div class="h5">----------------------------------------------------<br>
Matt Jonkman<br>
Emerging Threats Pro<br>
Open Information Security Foundation (OISF)<br>
Phone <a href="tel:866-504-2523%20x110" value="+18665042523">866-504-2523 x110</a><br>
<a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
<a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------<br>
<br>
</div></div></blockquote></div><br>