[Emerging-Sigs] Possible mislabeled Sig's Current Events?
Jeremy
cjeremy at gmail.com
Fri Jan 4 22:15:36 EST 2008
Aren't these all Zlob associated files and not storm?
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(VideoAccessCodecInstall.exe)"; flow:established,to_server;
uricontent:"/VideoAccessCodecInstall.exe"; nocase; sid:2007729;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(codecultra1123.exe)"; flow:established,to_server;
uricontent:"/codecultra"; nocase; uricontent:".exe"; nocase;
sid:2007730; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(codecultra1123.dmg)"; flow:established,to_server;
uricontent:"/codecultra"; nocase; uricontent:".dmg"; nocase;
sid:2007731; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(codecnice1126.exe)"; flow:established,to_server;
uricontent:"/codecnice"; nocase; uricontent:".exe"; nocase;
sid:2007732; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(codecnice1126.dmg)"; flow:established,to_server;
uricontent:"/codecnice"; nocase; uricontent:".dmg"; nocase;
sid:2007733; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(Install_video_3913230.exe)"; flow:established,to_server;
uricontent:"/Install_video_"; nocase; uricontent:".exe"; nocase;
sid:2007734; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
(virusranger.exe)"; flow:established,to_server;
uricontent:"/virusranger.exe"; nocase; sid:2007735; rev:1;)
--jeremy
More information about the Emerging-sigs
mailing list