[Emerging-Sigs] worth writing a signature?
Marcus
marc at unsober.org
Thu Jul 3 10:58:10 EDT 2008
I've run into some samples with content-type as javascript but it
downloads an executable. Would it be
worth writing a signature to catch content:"|0d 0a|MZ" and
content:"Content-Type\: application/x-javascript"? I can't imagine a
legitimate use for this, so FP's should be limited.
Matt's suggestion,
Compare to 2001685 and 2001684:
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows
executable sent when remote host claims to send image, Win32"; flow:
established; content:"Content-Type\: image"; content:"|0d 0a|MZ";
isdataat: 76,relative; content:"This program must be run under Win32";
classtype: trojan-activity; sid: 2001684; rev:7;)
alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows
executable sent when remote host claims to send an image"; flow:
established; content:"Content-Type\: image"; content:"|0d 0a|MZ";
within: 12; classtype: trojan-activity; sid: 2001685; rev:5;)
Any thoughts?
Cheers,
Marc
More information about the Emerging-sigs
mailing list