$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS means local to remote on web ports
content:"POST"; http_method means http post (so typically like when a user hits a submit button on a website ... but many ways to post data back to server)
content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; means http header must contain the text '128' followed by newline \r\n
content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; means HTTP/1. and User-Agent must be close together
content:!"|0D 0A|Accept"; http_header; means doesn't contain the word Accept in header
pcre:"/[^ -~\x0d\x0a]{4}/P"; means it must match this regular expression ...
' -~' means "printable characters" .... so if you look at http://www.asciitable.com/ and go from the 2nd column to the end
\x0d and \x0a are the newlines again
the ^ means not
and the {4} means 4 times
so i'd read it as saying it contains 4 non-printable characters in a row
which based on the title 'ZeroAccess Encrypted 128-byte POST No Accept Headers' i'm wondering if that's a way they try to indicate encryption
Other good links for ZeroAccess are Symantec explanation and Symantec white paper
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- ali.txt php injection walk-thru
- apache struts2 rce walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment