alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif/DlKroha Trojan Downloader Activity HTTP Outbound"; flow:to_server,established; uricontent:".php?"; uricontent:"fl="; uricontent:"fid="; uricontent:"x6"; pcre:"/^GET\s+[^\x0D\x0A]*\x2F\w+\x2Ephp\x3Ffl\x3D[0-9a-z]{32}\x26fid\x3D\d+\x26[^\x0D\x0A]*x6\d{2,5}[^\x0D\x0A]*\s+HTTP\x2F1\x2E[01]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009753; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Monkif; sid:2009753; rev:2;)

Added 2009-08-22 16:45:39 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif/DlKroha Trojan Downloader Activity HTTP Outbound"; flow:to_server,established; uricontent:".php?"; uricontent:"fl="; uricontent:"fid="; uricontent:"x6"; pcre:"/^GET\s+[^\x0D\x0A]*\x2F\w+\x2Ephp\x3Ffl\x3D[0-9a-z]{32}\x26fid\x3D\d+\x26[^\x0D\x0A]*x6\d{2,5}[^\x0D\x0A]*\s+HTTP\x2F1\x2E[01]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009753; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Monkif; sid:2009753; rev:2;)

Added 2009-08-22 16:45:39 UTC


alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif/DlKroha Trojan Downloader Activity HTTP Outbound"; flow:to_server,established; uricontent:".php?"; uricontent:"fl="; uricontent:"fid="; uricontent:"x6"; pcre:"/^GET\s+[^\x0D\x0A]*\x2F\w+\x2Ephp\x3Ffl\x3D[0-9a-z]{32}\x26fid\x3D\d+\x26[^\x0D\x0A]*x6\d{2,5}[^\x0D\x0A]*\s+HTTP\x2F1\x2E[01]\x0D\x0A/"; classtype:trojan-activity; sid:2009753; rev:1;)

Added 2009-08-20 10:00:39 UTC


Topic revision: r1 - 2009-08-22 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats