alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Executable Download Purporting to be JavaScript? likely 2nd stage Infection"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a| application/x-javascript"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:trojan-activity; sid:2013352; rev:4;)

Added 2016-08-12 18:32:22 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Executable Download Purporting to be JavaScript? likely 2nd stage Infection"; flow:established,from_server; content:"Content-Type|3a| application/x-javascript"; nocase; http_header; content:"|4D 5A 90 00 03 00 00 00 04|"; fast_pattern; content:"This program"; within:200; classtype:trojan-activity; sid:2013352; rev:1;)

Added 2011-10-12 19:36:40 UTC

This False Positives on this site: https://www2.shopkeypro.com/ (IP - 66.162.150.133) The included js - https://www2.shopkeypro.com/Scripts/globalLayoutCombined_2E6E5E690408B826955B685772F7FAAA.js - get received as an application and the server uses IIS 7.5 and has several backbonejs libraries.

HTTP Headers: HTTP/1.1 200 OK Content-Type: application/x-javascript Content-Encoding: gzip Last-Modified: Mon, 15 Feb 2016 21:37:22 GMT Accept-Ranges: bytes ETag: "09589d3968d11:0" Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET X-UA-Compatible: IE=edge,chrome=1 Date: Fri, 15 Apr 2016 13:02:16 GMT Content-Length: 1728

-- JimMcKibben - 2016-04-15

Do you have 443 in your HTTP_PORTS? Stock Suricata and Snort doesn't include 443 in HTTP_PORTS. This sig shouldn't fire on https traffic.

-- FrancisTrudeau - 2016-04-15


Topic revision: r3 - 2016-04-15 - FrancisTrudeau
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats