#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12;)

Added 2012-03-19 23:39:08 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:11;)

Added 2011-10-12 19:32:44 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:11;)

Added 2011-09-14 09:55:34 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:11;)

Added 2011-09-13 21:51:34 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:11;)

Added 2011-09-13 16:35:33 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kilely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:10;)

Added 2011-09-13 15:34:35 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kilely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:10;)

Added 2011-09-13 14:14:48 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye? style HTTP Header GET structure"; flow:established,to_server; content:"GET"; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; sid:2011858; rev:9;)

Added 2011-02-04 17:31:39 UTC


Topic revision: r1 - 2012-03-20 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats