[Emerging-Sigs] sid 2008232
Matt Jonkman
jonkman at jonkmans.com
Tue Jul 8 13:50:56 EDT 2008
I think that's a good change, thanks Philipp. I'll post it now!
Matt
Philipp Bescht wrote:
> hi,
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net
> likely)"; flow:established,to_server; uricontent:"/count.htm"; nocase;
> uricontent:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1b";
> classtype:trojan-activity; sid:2008232; rev:1;)
>
> didnt catch the following request:
>
> GET /t/d2hsdWF3OzJ0OHY5Oj0,cyJtIm8kaTB,fW9_aSErMC8OExQTFAsWFxgZVh0eGx4fFlBEDhxbQ1tUEBxJXU4DD2YnNyAveHZhPScjOnF8aC4zMj0mOiFrMjk,Nj4=/count.htm
>
>
> maybe the pattern is still sufficiently unique when shortened to:
> /t/d2hsdWF3OzJ0OHY5Oj0,cyJtI
>
> thanks and regards,
> philipp
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list