<div dir="ltr"><div><div>2nd minor tweak:<br>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
 You have voice message Kuluoz.D URI"; flow:established,to_server; 
content:".php?"; http_uri; fast_pattern:only; 
pcre:"/\.php\?[a-z]+=[a-zA-Z0-9\x2b\x5c\x2f]{22}$/U"; reference:url,<a href="http://www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/" target="_blank">www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/</a>; classtype:trojan-activity; sid:XxXxXxXx; rev:1;)<br><br></div>Updated with $/U at end of PCRE.<br><br></div>-Ben.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 12, 2014 at 3:13 PM, Ben Koenig <span dir="ltr"><<a href="mailto:koenigb@gmail.com" target="_blank">koenigb@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>minor tweak:<br>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
 You have voice message Kuluoz.D URI"; flow:established,to_server; 
content:".php?"; http_uri; fast_pattern:only; 
pcre:"/\.php\?[a-z]+=[a-zA-Z0-9\x2b\x5c\x2f]{22}"; reference:url,<a href="http://www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/" target="_blank">www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/</a>; classtype:trojan-activity; sid:XxXxXxXx; rev:1;)<br><br></div>This is very close to SID: 2018589 from June.<br><br><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 12, 2014 at 3:07 PM, Ben Koenig <span dir="ltr"><<a href="mailto:koenigb@gmail.com" target="_blank">koenigb@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm pretty sure I did this right but, please let me know if I didn't. This is related to a spam campaign that shows up as Kuluoz.D: Email subject was "You have voice message".<br><div><br>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You have voice message Kuluoz.D URI"; flow:established,to_server; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]+=[a-zA-Z0-9/+]{22}"; reference:url,<a href="http://www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/" target="_blank">www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/</a>; classtype:trojan-activity; sid:XxXxXxXx; rev:1;)<br><br><br></div><div>I didn't see any of the existing Asprox/Kuluox rules matching that in our set.<br><br></div><div>-Thanks,<br>Ben.<br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>