[Emerging-Sigs] gicia.info
Markus Lude
markus.lude at gmx.de
Tue Jul 8 16:37:24 EDT 2008
On Tue, Jul 08, 2008 at 03:17:39PM -0400, Matt Jonkman wrote:
> #by Philipp Bescht
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Gcia.info Related Trojan Checkin";
> flow:established,to_server; uricontent:"/cd/"; uricontent:".php?id=";
> nocase; uricontent:"&ver="; nocase; content:"|0d 0a|Host\: gcia.info";
> classtype:trojan-activity; sid:2008382; rev:1;)
Aehm, isn't the host gicia.info? Same in the message string.
Regards,
Markus
More information about the Emerging-sigs
mailing list