alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; content:"/list.php?db="; http_uri; content:"Accept-Language|3A| ko-kr"; http_header; classtype:trojan-activity; reference:url,<a href="http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html">blog.fireeye.com/research/2012/12/to-russia-with-apt.html</a>; reference:url,<a href="http://contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html">contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html</a>; sid:1318811; rev:1;)<br>
<br>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; content:"Accept-Language|3A| ko-kr"; http_header; file_data; content:"db="; within:3; content:"&ch="; distance:0; content:"&name="; distance:0; content:"&email="; distance:0; content:"&pw="; distance:0; classtype:trojan-activity; reference:url,<a href="http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html">blog.fireeye.com/research/2012/12/to-russia-with-apt.html</a>; reference:url,<a href="http://contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html">contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html</a>; sid:1318812; rev:1;)<br>
<br>Regards,<br>Kevin<br>