alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow:to_server,established; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011374; rev:6;)

Added 2014-09-12 16:28:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.co.cc domain"; flow: to_server,established; content:".co.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011374; rev:4;)

Added 2011-12-01 18:59:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Suspicious *.co.cc domain"; flow: to_server,established; content:".co.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011374; rev:4;)

Added 2011-10-12 19:31:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP contacting a suspicious *.co.cc domain"; flow: to_server,established; content:".co.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011374; rev:3;)

Added 2011-02-04 17:31:11 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP contacting a suspicious *.co.cc domain"; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Suspicious_Domains; sid:2011374; rev:2;)

Added 2010-08-19 16:58:23 UTC

We've plenty of Iranian students here, it seems that legit content of interest to them is hosted in .co.cc - any way to constrain this rule? I've disabled it for now.

-- MikePatterson - 30 Nov 2010


Topic revision: r2 - 2010-11-30 - MikePatterson
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats