#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RiskTool?.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

Added 2017-08-07 21:05:45 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RiskTool?.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:3;)

Added 2011-10-12 19:34:43 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RiskTool?.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; classtype:web-application-attack; reference:url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa; sid:2012588; rev:3;)

Added 2011-06-28 19:35:50 UTC

Likely FP from baidu related traffic:

GET /go.asp?we=A-Free-Service-for-Webmasters&svid=8&id=961293&tpages=1&ttimes=1&tzone=12&tcolor=32&sSize=1680,1050&referrer=http%3A//www.baidu.com/s%3Fwd%3D%25B0%25C4%25D6%25DE%25BD%25F4%25C8%25B1%25D7%25A8%25D2%25B5%26rsp%3D9%26oq%3D%25BE%25AD%25BC%25C3%2520%25BD%25F4%25C8%25B1%25D7%25A8%25D2%25B5%26f%3D1%26rsv_ers%3Dxn1&vpage=http%3A//www.sooxue.com/foreignLanguage/liuxuezhinan/zhuanye/200712/65516.html HTTP/1.1

I wonder if this is another 'legit' usage tracker being used by crims ?

-- RussellFulton - 08 Aug 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RiskTool?.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; classtype:web-application-attack; reference:url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa; sid:2012588; rev:2;)

Added 2011-03-28 17:33:32 UTC


Topic revision: r2 - 2011-08-08 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats