Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers (1:26910)
- ****
- Blog explaining this : http://neonprimetime.blogspot.com/2015/11/zeroaccess-snort-rule-126910-walk-thru.html
- ****
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3; )
- ****
- POST / HTTP/1.1
- User-Agent: Mozilla/5.0 (compatible; MSIE 8.0;)
- Host: search.namequery.com
- Connection: Keep-Alive
- Cache-Control: no-cache
- Content-Length: 128
- TagId: 268958596
- ~............k.....O...
- .l.E)q..+B....v..6.G.Z..c.T.C.....0b*!E.....Y....r...&8/Ue..^K....J..Mc[C}]k$.....}^'.Um..y...+...%?M..~
- ****
- Reported by neonprimetime security
- Blog: http://neonprimetime.blogspot.com
- Twitter: https://twitter.com/neonprimetime @neonprimetime
- VirusTotal: https://www.virustotal.com/en/user/neonprimetime/
- Reddit: https://www.reddit.com/user/neonprimetime
Add Comment
Please, Sign In to add comment