[Emerging-Sigs] Possible mislabeled Sig's Current Events?
Matt Jonkman
jonkman at jonkmans.com
Sat Jan 5 08:20:53 EST 2008
I was thinking that as well, but the AV results are Tibs, Peacomm,
Storm, Sintun, etc. The AV industry's difficult way of saying Storm.
Matt
Jeremy wrote:
> Aren't these all Zlob associated files and not storm?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (VideoAccessCodecInstall.exe)"; flow:established,to_server;
> uricontent:"/VideoAccessCodecInstall.exe"; nocase; sid:2007729;
> rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (codecultra1123.exe)"; flow:established,to_server;
> uricontent:"/codecultra"; nocase; uricontent:".exe"; nocase;
> sid:2007730; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (codecultra1123.dmg)"; flow:established,to_server;
> uricontent:"/codecultra"; nocase; uricontent:".dmg"; nocase;
> sid:2007731; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (codecnice1126.exe)"; flow:established,to_server;
> uricontent:"/codecnice"; nocase; uricontent:".exe"; nocase;
> sid:2007732; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (codecnice1126.dmg)"; flow:established,to_server;
> uricontent:"/codecnice"; nocase; uricontent:".dmg"; nocase;
> sid:2007733; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (Install_video_3913230.exe)"; flow:established,to_server;
> uricontent:"/Install_video_"; nocase; uricontent:".exe"; nocase;
> sid:2007734; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE CURRENT_EVENTS Likely Storm Binary Requested
> (virusranger.exe)"; flow:established,to_server;
> uricontent:"/virusranger.exe"; nocase; sid:2007735; rev:1;)
>
>
> --jeremy
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list