38 lines
1 KiB
Text
38 lines
1 KiB
Text
|
private rule CookiesStrings : Cookies Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Cookies Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-20"
|
||
|
|
||
|
strings:
|
||
|
$zip1 = "ntdll.exePK"
|
||
|
$zip2 = "AcroRd32.exePK"
|
||
|
$zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
|
||
|
$zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
|
||
|
$exe1 = "Leave GetCommand!"
|
||
|
$exe2 = "perform exe success!"
|
||
|
$exe3 = "perform exe failure!"
|
||
|
$exe4 = "Entry SendCommandReq!"
|
||
|
$exe5 = "Reqfile not exist!"
|
||
|
$exe6 = "LeaveDealUpfile!"
|
||
|
$exe7 = "Entry PostData!"
|
||
|
$exe8 = "Leave PostFile!"
|
||
|
$exe9 = "Entry PostFile!"
|
||
|
$exe10 = "\\unknow.zip" wide ascii
|
||
|
$exe11 = "the url no respon!"
|
||
|
|
||
|
condition:
|
||
|
(2 of ($zip*)) or (2 of ($exe*))
|
||
|
}
|
||
|
|
||
|
rule Cookies : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Cookies"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-20"
|
||
|
|
||
|
condition:
|
||
|
CookiesStrings
|
||
|
}
|