alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Fake AV Checkin"; flow:to_server,established; content:"GET "; nocase; depth:4; content:!"Referer\: "; nocase; uricontent:"/cmd.php?c="; uricontent:"&v="; uricontent:"&b="; uricontent:"&id="; uricontent:"&cnt="; uricontent:"&q="; pcre:"/cmd\.php\?c=[A-Z0-9]+&v=\d+&b=\d+&id=[A-Z0-9]+&cnt=[A-Z]+&q=[A-Z0-9]+/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010545; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010545; rev:2;)

Added 2009-12-22 20:30:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Fake AV Checkin"; flow:to_server,established; content:"GET "; nocase; depth:4; content:!"Referer\: "; nocase; uricontent:"/cmd.php?c="; uricontent:"&v="; uricontent:"&b="; uricontent:"&id="; uricontent:"&cnt="; uricontent:"&q="; pcre:"/cmd\.php\?c=[A-Z0-9]+&v=\d+&b=\d+&id=[A-Z0-9]+&cnt=[A-Z]+&q=[A-Z0-9]+/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010545; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010545; rev:2;)

Added 2009-12-22 20:29:15 UTC


Topic revision: r1 - 2009-12-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats