[Emerging-Sigs] sid 2008232
Philipp Bescht
philipp at bescht.de
Tue Jul 8 12:57:53 EDT 2008
hi,
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net
likely)"; flow:established,to_server; uricontent:"/count.htm"; nocase;
uricontent:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1b";
classtype:trojan-activity; sid:2008232; rev:1;)
didnt catch the following request:
GET /t/d2hsdWF3OzJ0OHY5Oj0,cyJtIm8kaTB,fW9_aSErMC8OExQTFAsWFxgZVh0eGx4fFlBEDhxbQ1tUEBxJXU4DD2YnNyAveHZhPScjOnF8aC4zMj0mOiFrMjk,Nj4=/count.htm
maybe the pattern is still sufficiently unique when shortened to:
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI
thanks and regards,
philipp
More information about the Emerging-sigs
mailing list