#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:13;)

Added 2012-08-07 18:51:57 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:12;)

Added 2012-03-13 14:42:34 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:11;)

Added 2012-03-07 18:44:59 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"|0d 0a|MZ"; fast_pattern; isdataat:76,relative; content:"This program "; distance:0; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:10;)

Added 2011-12-06 21:59:17 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:9;)

Added 2011-10-12 19:23:36 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007671; sid:2007671; rev:9;)

Added 2011-09-14 22:37:07 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Downloads; sid:2007671; rev:9;)

Added 2011-02-04 17:26:47 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Downloads; sid:2007671; rev:9;)

Added 2009-02-11 19:15:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Downloads; sid:2007671; rev:9;)

Added 2009-02-11 19:15:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:8;)

Added 2009-02-09 14:44:18 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:8;)

Added 2009-02-09 14:44:18 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:7;)

Added 2008-06-06 20:49:01 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:7;)

Added 2008-06-06 20:49:01 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:6;)

Added 2008-01-31 18:48:10 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:6;)

Added 2008-01-31 18:48:10 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:5;)

Added 2007-11-09 01:01:50 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:5;)

Added 2007-11-09 01:01:50 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:3;)

Added 2007-11-08 23:46:05 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:3;)

Added 2007-11-08 23:46:05 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:2;)

Added 2007-11-08 04:28:13 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:2;)

Added 2007-11-08 04:28:13 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Binary Download Smaller than 1 MB -- Likely Hostile"; flow:established,from_server; flowbits:isset,BE.http.binary; content:"HTTP/1"; depth:6; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; sid:2007671; rev:1;)

Added 2007-11-08 01:16:52 UTC


Topic revision: r1 - 2012-08-07 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats