Where did you get those example requests from?  They don't match the writeup from Symantec.  Also, I would assume that "gulfstream" would be in there at some point, so if you're sure about that style of request, then I would swap [oa] with . in the pcre.<br>

<div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Dec 9, 2012 at 8:33 PM, Joel Esler <span dir="ltr"><<a href="mailto:jesler@sourcefire.com" target="_blank">jesler@sourcefire.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">That won't work unless you have 443 in http_inspects config.<div><br></div><div>
Just FYI.</div>
<div><br></div><div><span style="font-size:12px;font-family:'Lucida Grande'">--</span><br><span style="font-size:12px;font-family:'Lucida Grande'"><b>Joel Esler</b></span><br><span style="font-size:12px;font-family:'Lucida Grande'">Senior Research Engineer, VRT</span><br>

<span style="font-size:12px;font-family:'Lucida Grande'">OpenSource Community Manager</span><br><span style="font-size:12px;font-family:'Lucida Grande'">Sourcefire</span></div><div><font face="Lucida Grande"><br>

</font><div><div><div class="h5"><div>On Dec 9, 2012, at 8:57 PM, Christopher Granger <<a href="mailto:chrisgrangerx@gmail.com" target="_blank">chrisgrangerx@gmail.com</a>> wrote:</div><br></div></div><blockquote type="cite">

<div><div class="h5">Hi ET,<div><br></div><div>Trojan.Gatak is a Trojan that allows backdoor access. Some versions are able to spread via shared resources. </div><div><br></div><div>The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted. </div>


<div><br></div><div>Example requests:</div><div>/galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe</div><div>/galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj</div><div>/golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz</div>


<div><br></div><div><br></div><div>Proposed rule:</div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST Request to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"lfstream&"; nocase; http_uri; depth:12; pcre:"/\/g[oa]lfstream&/UAi"; reference: <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99" target="_blank">http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99</a>; classtype:trojan-activity; sid:XXXXXXX; rev:1;)</div>


<div><br></div><div>Regards,</div><div>-Chris</div></div></div>
_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>

<br>Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!</blockquote>

</div><br></div></div><br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br></blockquote></div><br></div>