#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; reference:url,doc.emergingthreats.net/2011228; classtype:trojan-activity; sid:2011228; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:24 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; reference:url,doc.emergingthreats.net/2011228; classtype:trojan-activity; sid:2011228; rev:3;)

Added 2011-10-12 19:31:36 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011228; sid:2011228; rev:3;)

Added 2011-09-14 22:45:02 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2011228; rev:3;)

Added 2011-03-10 16:05:16 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2011228; rev:3;)

Added 2011-03-09 10:48:08 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2011228; rev:3;)

Added 2011-03-08 20:58:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage? activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2011228; rev:3;)

Added 2011-02-04 17:31:01 UTC

We are seeing quite a lot of hits on this sig from apparently legit traffic in our residences (legit referers). The traffic appears to be some sort of tracking and my guess is that this is a legit service (for some value of legit) that is also being used by Chinese botnets to track their drones.

-- RussellFulton - 08 Mar 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage? activity";flow:to_server,established; content:"GET "; depth:4; uricontent:"stat.htm?id="; uricontent:"&r="; uricontent:"&lg="; uricontent:"&ntime="; uricontent:"&repeatip="; uricontent:"&rtime="; uricontent:"&cnzz|5f|eid="; uricontent:"|2d|&showp="; uricontent:"&st="; uricontent:"&sin"; uricontent:"&res="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2011228; rev:1;)

Added 2010-07-15 20:37:41 UTC


Topic revision: r3 - 2011-03-10 - PedroMarinho
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats