alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection "; flow:established,to_server; content:"GET|20|/|20|HTTP/1."; content:"|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|www.google.com|0d 0a|Pragma|3a 20|no-cache|0d 0a 0d 0a|"; within:65; classtype:trojan-activity; sid:2012645; rev:4;)

Added 2011-11-07 19:34:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GET to Google with specific HTTP lib likely infected checking Internet connection"; flow:established,to_server; content:"GET|20|/|20|HTTP/1."; content:"|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|www.google.com|0d 0a|Pragma|3a 20|no-cache|0d 0a 0d 0a|"; within:65; classtype:trojan-activity; sid:2012645; rev:3;)

Added 2011-10-12 19:34:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GET to Google with specific HTTP lib likely infected checking Internet connection"; flow:established,to_server; content:"GET|20|/|20|HTTP/1."; content:"|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|www.google.com|0d 0a|Pragma|3a 20|no-cache|0d 0a 0d 0a|"; within:65; classtype:trojan-activity; sid:2012645; rev:3;)

Added 2011-04-06 17:38:10 UTC


Topic revision: r1 - 2011-11-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats