#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Warezov/Stration Challenge Response"; flowbits:isset,BEposs.warezov.challenge; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Warezov; sid:2003176; rev:5;)

Added 2011-03-25 14:48:55 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; classtype:shellcode-detect; reference:url,http://www.google.co.uk/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwww.symantec.com%2Favcenter%2Freference%2Fevolving.shell.code.pdf&rct=j&q=shellcode%20symantec&ei=m-KDTc38MNSKhQe297G7BA&usg=AFQjCNH_DltEEgL7ZLPMGMIapD1ZdOrnzA&cad=rja; sid:2012544; rev:4;)

Added 2011-03-24 16:29:31 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; classtype:shellcode-detect; reference:url,http://www.google.co.uk/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwww.symantec.com%2Favcenter%2Freference%2Fevolving.shell.code.pdf&rct=j&q=shellcode%20symantec&ei=m-KDTc38MNSKhQe297G7BA&usg=AFQjCNH_DltEEgL7ZLPMGMIapD1ZdOrnzA&cad=rja; sid:2012544; rev:4;)

Added 2011-03-24 15:49:39 UTC


Topic revision: r1 - 2011-03-25 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats