[Emerging-Sigs] gicia.info
Matt Jonkman
jonkman at jonkmans.com
Tue Jul 8 17:17:20 EDT 2008
We had to go with a different version by the time I posted, sorry. It
ended up 3 sigs without the host field.
Matt
Markus Lude wrote:
> On Tue, Jul 08, 2008 at 03:17:39PM -0400, Matt Jonkman wrote:
>> #by Philipp Bescht
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS Gcia.info Related Trojan Checkin";
>> flow:established,to_server; uricontent:"/cd/"; uricontent:".php?id=";
>> nocase; uricontent:"&ver="; nocase; content:"|0d 0a|Host\: gcia.info";
>> classtype:trojan-activity; sid:2008382; rev:1;)
>
> Aehm, isn't the host gicia.info? Same in the message string.
>
> Regards,
> Markus
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list