private rule CookiesStrings : Cookies Family { meta: description = "Cookies Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-20" strings: $zip1 = "ntdll.exePK" $zip2 = "AcroRd32.exePK" $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a" $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a" $exe1 = "Leave GetCommand!" $exe2 = "perform exe success!" $exe3 = "perform exe failure!" $exe4 = "Entry SendCommandReq!" $exe5 = "Reqfile not exist!" $exe6 = "LeaveDealUpfile!" $exe7 = "Entry PostData!" $exe8 = "Leave PostFile!" $exe9 = "Entry PostFile!" $exe10 = "\\unknow.zip" wide ascii $exe11 = "the url no respon!" condition: (2 of ($zip*)) or (2 of ($exe*)) } rule Cookies : Family { meta: description = "Cookies" author = "Seth Hardy" last_modified = "2014-06-20" condition: CookiesStrings }