ZeroAccess Encrypted 128-byte POST No Accept Headers 1:26910

1. MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers (1:26910)
2.  
3. ****
4. Blog explaining this : http://neonprimetime.blogspot.com/2015/11/zeroaccess-snort-rule-126910-walk-thru.html
5. ****
6.  
7. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3; )
8.  
9. ****
10. POST / HTTP/1.1
11. User-Agent: Mozilla/5.0 (compatible; MSIE 8.0;)
12. Host: search.namequery.com
13. Connection: Keep-Alive
14. Cache-Control: no-cache
15. Content-Length: 128
16. TagId: 268958596
17.  
18. ~............k.....O...
19. .l.E)q..+B....v..6.G.Z..c.T.C.....0b*!E.....Y....r...&8/Ue..^K....J..Mc[C}]k$.....}^'.Um..y...+...%?M..~
20.  
21. ****
22.  
23. Reported by neonprimetime security
24. Blog: http://neonprimetime.blogspot.com
25. Twitter: https://twitter.com/neonprimetime @neonprimetime
26. VirusTotal: https://www.virustotal.com/en/user/neonprimetime/
27. Reddit: https://www.reddit.com/user/neonprimetime