alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:43 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:6;)

Added 2011-10-12 19:25:22 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; sid:2008559; rev:6;)

Added 2011-09-14 22:38:48 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:6;)

Added 2011-02-04 17:27:44 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:4;)

Added 2010-06-15 13:15:59 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:4;)

Added 2010-06-15 13:15:59 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:3;)

Added 2009-02-07 10:30:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:3;)

Added 2009-02-07 10:30:23 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:2;)

Added 2009-02-06 19:00:55 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:2;)

Added 2009-02-06 19:00:55 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; sid:2008559; rev:1;)

Added 2008-09-16 12:30:21 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats