alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; uricontent:"&version_id="; content:"|0d 0a|Content-Type\: multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; reference:url,doc.emergingthreats.net/2003509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gozi; sid:2003509; rev:5;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; uricontent:"&version_id="; content:"|0d 0a|Content-Type\: multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; reference:url,doc.emergingthreats.net/2003509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gozi; sid:2003509; rev:5;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; uricontent:"&version_id="; content:"|0d 0a|Content-Type\: multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:4;)

Added 2009-01-29 22:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; uricontent:"&version_id="; content:"|0d 0a|Content-Type\: multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:4;)

Added 2009-01-29 22:00:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; uricontent:"&version_id="; content:"|0d 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:3;)

Added 2009-01-28 11:15:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; uricontent:"&version_id="; content:"|0d 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:3;)

Added 2009-01-28 11:15:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi?"; depth:24; pcre:"/POST\x20\x2Fcgi\x2Dbin\x2Fcerts\x2Ecgi\x20HTTP\x2F1\x2E1[\x0D\x0A]+Content\x2DType\x3A\x20multipart\x2Fform\x2Ddata\x3B\x20boundary\x3D.*[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi?"; depth:24; pcre:"/POST\x20\x2Fcgi\x2Dbin\x2Fcerts\x2Ecgi\x20HTTP\x2F1\x2E1[\x0D\x0A]+Content\x2DType\x3A\x20multipart\x2Fform\x2Ddata\x3B\x20boundary\x3D.*[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi?"; depth:24; pcre:"/POST\x20\x2Fcgi\x2Dbin\x2Fcerts\x2Ecgi\x20HTTP\x2F1\x2E1[\x0D\x0A]+Content\x2DType\x3A\x20multipart\x2Fform\x2Ddata\x3B\x20boundary\x3D.*[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:1;)

Added 2007-06-13 01:25:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi?"; depth:24; pcre:"/POST\x20\x2Fcgi\x2Dbin\x2Fcerts\x2Ecgi\x20HTTP\x2F1\x2E1[\x0D\x0A]+Content\x2DType\x3A\x20multipart\x2Fform\x2Ddata\x3B\x20boundary\x3D.*[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:1;)

Added 2007-03-21 09:31:15 UTC


Topic revision: r2 - 2007-03-21 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats