alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; nocase; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:01 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; nocase; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:12;)

Added 2016-08-09 18:48:34 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:6;)

Added 2012-08-07 18:51:58 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:5;)

Added 2012-07-13 21:15:01 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:4;)

Added 2012-03-07 18:45:02 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; file_data; content:"MZ"; fast_pattern; within:2; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:3;)

Added 2011-12-06 21:59:18 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:2;)

Added 2011-10-12 19:28:30 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; sid:2009897; rev:2;)

Added 2011-09-14 22:41:48 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009897; rev:2;)

Added 2011-02-04 17:29:18 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009897; rev:2;)

Added 2009-09-14 17:00:37 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009897; rev:2;)

Added 2009-09-14 16:59:37 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats