EmergingThreats> Main Web>2002839 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms"; nocase; uricontent:"cfg.jsp?"; uricontent:"v="; nocase; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; classtype:trojan-activity; sid:2002839; rev:2; )

Auto-added on 2007-02-28 02:03:35



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms"; nocase; uricontent:"cfg.jsp?"; uricontent:"v="; nocase; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; classtype:trojan-activity; sid:2002839; rev:2; )

Auto-added on 2007-02-28 01:29:35


Seeing hits like this:

GET /ms142cfg.jsp?v=2.0.2.24&e=aaec&r=5&l=1d&c=01&a=8B0F46B5-E2B6-4EB0-88AF-7D27A7D5E569&n=2005110414 HTTP/1.1

in the spyware listening post. The version keeps incrementing. So changed it to a pcre after uricontent matches. This obsoletes 2003393 and 2003361.

-- MattJonkman - 28 Feb 2007


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-02-28 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats